summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 11:40:19 +0000
committerChristian Poessinger <christian@poessinger.com>2021-07-03 13:45:31 +0200
commit2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (patch)
treef6e32e8e97e805a9b08c18eeb7ab5e1833609311
parentff004bee54df0b298c56e91b5f41dda075d35220 (diff)
downloadvyos-1x-2d79a5000c8a02fd7570f629c3182fd55fdb8c86.tar.gz
vyos-1x-2d79a5000c8a02fd7570f629c3182fd55fdb8c86.zip
ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string
-rw-r--r--python/vyos/template.py46
-rw-r--r--src/tests/test_template.py60
2 files changed, 106 insertions, 0 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 5c12e9914..f03fd7ee7 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -387,3 +387,49 @@ def get_ip(interface):
""" Get interface IP addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr()
+
+@register_filter('get_esp_ike_cipher')
+def get_esp_ike_cipher(group_config):
+ pfs_lut = {
+ 'dh-group1' : 'modp768',
+ 'dh-group2' : 'modp1024',
+ 'dh-group5' : 'modp1536',
+ 'dh-group14' : 'modp2048',
+ 'dh-group15' : 'modp3072',
+ 'dh-group16' : 'modp4096',
+ 'dh-group17' : 'modp6144',
+ 'dh-group18' : 'modp8192',
+ 'dh-group19' : 'ecp256',
+ 'dh-group20' : 'ecp384',
+ 'dh-group21' : 'ecp512',
+ 'dh-group22' : 'modp1024s160',
+ 'dh-group23' : 'modp2048s224',
+ 'dh-group24' : 'modp2048s256',
+ 'dh-group25' : 'ecp192',
+ 'dh-group26' : 'ecp224',
+ 'dh-group27' : 'ecp224bp',
+ 'dh-group28' : 'ecp256bp',
+ 'dh-group29' : 'ecp384bp',
+ 'dh-group30' : 'ecp512bp',
+ 'dh-group31' : 'curve25519',
+ 'dh-group32' : 'curve448'
+ }
+
+ ciphers = []
+ if 'proposal' in group_config:
+ for priority, proposal in group_config['proposal'].items():
+ # both encryption and hash need to be specified for a proposal
+ if not {'encryption', 'hash'} <= set(proposal):
+ continue
+
+ tmp = '{encryption}-{hash}'.format(**proposal)
+ if 'dh_group' in proposal:
+ tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ]
+ elif 'pfs' in group_config and group_config['pfs'] != 'disable':
+ group = group_config['pfs']
+ if group_config['pfs'] == 'enable':
+ group = 'dh-group2'
+ tmp += '-' + pfs_lut[group]
+
+ ciphers.append(tmp)
+ return ciphers
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index 67c0fe84a..2d065f545 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase):
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48'))
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64'))
self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64'))
+
+ def test_cipher_to_string(self):
+ ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256'
+ IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024'
+
+ data = {
+ 'esp_group': {
+ 'ESP_DEFAULT': {
+ 'compression': 'disable',
+ 'lifetime': '3600',
+ 'mode': 'tunnel',
+ 'pfs': 'dh-group19',
+ 'proposal': {
+ '10': {
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256',
+ },
+ '20': {
+ 'encryption': 'aes128ccm64',
+ 'hash': 'sha256',
+ }
+ }
+ }
+ },
+ 'ike_group': {
+ 'IKEv2_DEFAULT': {
+ 'close_action': 'none',
+ 'dead_peer_detection': {
+ 'action': 'hold',
+ 'interval': '30',
+ 'timeout': '120'
+ },
+ 'ikev2_reauth': 'no',
+ 'key_exchange': 'ikev2',
+ 'lifetime': '10800',
+ 'mobike': 'disable',
+ 'proposal': {
+ '10': {
+ 'dh_group': '19',
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256'
+ },
+ '20': {
+ 'dh_group': '2',
+ 'encryption': 'aes128ccm128',
+ 'hash': 'md5_128'
+ },
+ }
+ }
+ },
+ }
+
+ for group_name, group_config in data['esp_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(ESP_DEFAULT, ','.join(ciphers))
+
+ for group_name, group_config in data['ike_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(IKEv2_DEFAULT, ','.join(ciphers))
+