summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
commita1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (patch)
tree7e44119b3054f54d18e216a8f63e84346e92073d
parent2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (diff)
downloadvyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.tar.gz
vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.zip
ipsec: T2816: rework IKE and ESP key assignment
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl34
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl24
-rw-r--r--data/templates/ipsec/swanctl/profile.tmpl13
-rw-r--r--interface-definitions/vpn_ipsec.xml.in46
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py5
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py167
6 files changed, 105 insertions, 184 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 116d62beb..cafe52e78 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,25 +1,17 @@
### Autogenerated by vpn_ipsec.py ###
-
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% if profile is defined or site_to_site is defined %}
connections {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{% endfor %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
{% endif %}
}
@@ -38,9 +30,9 @@ secrets {
{% if site_to_site is defined and site_to_site.peer is defined %}
{% set ns = namespace(local_key_set=False) %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{% set peer_name = peer.replace(".", "-").replace("@", "") %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
- ike_{{ peer_conn_name }} {
+ ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
@@ -54,7 +46,7 @@ secrets {
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
{% elif peer_conf.authentication.mode == 'x509' %}
- private_{{ peer_conn_name }} {
+ private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
@@ -69,4 +61,4 @@ secrets {
{% endfor %}
{% endif %}
}
-{% endif %}
+
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 7cc3fa29f..0559d1dac 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -1,7 +1,10 @@
-{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %}
+{% macro conn(peer, peer_conf, ike_group, esp_group) %}
+{% set name = peer.replace(".", "-").replace("@", "") %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
- proposals = {{ ciphers.ike[peer_conf.ike_group] }}
- version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }}
+ proposals = {{ ike | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
@@ -31,9 +34,7 @@
{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
@@ -46,9 +47,7 @@
{% elif peer[0:1] == '@' %}
id = "{{ peer }}"
{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub
{% endif %}
@@ -57,7 +56,7 @@
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
peer_{{ name }}_vti {
- esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }}
+ esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
@@ -77,8 +76,7 @@
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
}
-{% endif %}
-{% if peer_conf.tunnel is defined %}
+{% elif peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
@@ -88,7 +86,7 @@
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
- esp_proposals = {{ ciphers.esp[tunnel_esp_name] }}
+ esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }}
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index f6f6f4d70..0360972f6 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -1,9 +1,12 @@
-{% macro conn(name, profile_conf, ike, esp, ciphers) %}
+{% macro conn(name, profile_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[profile_conf.ike_group] %}
+{% set esp = esp_group[profile_conf.esp_group] %}
{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% for interface in profile_conf.bind.tunnel %}
dmvpn-{{ name }}-{{ interface }} {
- proposals = {{ ciphers.ike[profile_conf.ike_group] }}
- version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }}
+ proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s
keyingtries = 0
{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
@@ -16,12 +19,12 @@
{% endif %}
children {
dmvpn {
- esp_proposals = {{ ciphers.esp[profile_conf.esp_group] }}
+ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
- mode = {{ esp.mode if esp.mode is defined else "transport" }}
+ mode = {{ esp.mode if esp.mode is defined else 'transport' }}
{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index f51c2fc92..6aff7bef5 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -92,95 +92,95 @@
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Enable PFS. Use ike-groups dh-group (default)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024) - default</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
- <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description>
+ <description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
- <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
- <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description>
+ <description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
- <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description>
+ <description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
- <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description>
+ <description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
- <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description>
+ <description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
- <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description>
+ <description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
- <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description>
+ <description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
- <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description>
+ <description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
- <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description>
+ <description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
- <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description>
+ <description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
- <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description>
+ <description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
- <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description>
+ <description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
- <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description>
+ <description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
- <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description>
+ <description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
- <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description>
+ <description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
- <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description>
+ <description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
- <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description>
+ <description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
- <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description>
+ <description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
- <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description>
+ <description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
- <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description>
+ <description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
- <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description>
+ <description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 9c0ad2075..fda8b74b1 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -18,8 +18,9 @@ import os
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
-
-from vyos.util import call, process_named_running, read_file
+from vyos.util import call
+from vyos.util import process_named_running
+from vyos.util import read_file
ethernet_path = ['interfaces', 'ethernet']
tunnel_path = ['interfaces', 'tunnel']
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ce72ee094..e95a3e82d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -39,46 +39,11 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
-authby_translate = {
- 'pre-shared-secret': 'psk',
- 'rsa': 'pubkey',
- 'x509': 'pubkey'
-}
-
-default_pfs = 'dh-group2'
-pfs_translate = {
- 'dh-group1' : 'modp768',
- 'dh-group2' : 'modp1024',
- 'dh-group5' : 'modp1536',
- 'dh-group14' : 'modp2048',
- 'dh-group15' : 'modp3072',
- 'dh-group16' : 'modp4096',
- 'dh-group17' : 'modp6144',
- 'dh-group18' : 'modp8192',
- 'dh-group19' : 'ecp256',
- 'dh-group20' : 'ecp384',
- 'dh-group21' : 'ecp512',
- 'dh-group22' : 'modp1024s160',
- 'dh-group23' : 'modp2048s224',
- 'dh-group24' : 'modp2048s256',
- 'dh-group25' : 'ecp192',
- 'dh-group26' : 'ecp224',
- 'dh-group27' : 'ecp224bp',
- 'dh-group28' : 'ecp256bp',
- 'dh-group29' : 'ecp384bp',
- 'dh-group30' : 'ecp512bp',
- 'dh-group31' : 'curve25519',
- 'dh-group32' : 'curve448'
-}
-
any_log_modes = [
'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn',
'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'
]
-ike_ciphers = {}
-esp_ciphers = {}
-
dhcp_wait_attempts = 2
dhcp_wait_sleep = 1
@@ -113,52 +78,18 @@ def get_config(config=None):
get_first_key=True, no_tag_node_value_mangle=True)
ipsec['dhcp_no_address'] = {}
- ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface'])
- ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings'])
+ ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
+ 'interface'])
+ ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access',
+ 'ipsec-settings'])
ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
- ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
- default_ike_pfs = None
-
- if 'ike_group' in ipsec:
- for group, ike_conf in ipsec['ike_group'].items():
- if 'proposal' in ike_conf:
- ciphers = []
- for i in ike_conf['proposal']:
- proposal = ike_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- pfs = ('dh-group' + proposal['dh_group']) if 'dh_group' in proposal else default_pfs
-
- if not default_ike_pfs:
- default_ike_pfs = pfs
-
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- ike_ciphers[group] = ','.join(ciphers)
-
- if 'esp_group' in ipsec:
- for group, esp_conf in ipsec['esp_group'].items():
- pfs = esp_conf['pfs'] if 'pfs' in esp_conf else 'enable'
-
- if pfs == 'disable':
- pfs = None
-
- if pfs == 'enable':
- pfs = default_ike_pfs
-
- if 'proposal' in esp_conf:
- ciphers = []
- for i in esp_conf['proposal']:
- proposal = esp_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- esp_ciphers[group] = ','.join(ciphers)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+ ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'],
+ key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
return ipsec
@@ -361,58 +292,54 @@ def generate(ipsec):
os.unlink(config_file)
return
- data = {}
- if ipsec:
- if ipsec['dhcp_no_address']:
- with open(DHCP_HOOK_IFLIST, 'w') as f:
- f.write(" ".join(ipsec['dhcp_no_address'].values()))
+ if ipsec['dhcp_no_address']:
+ with open(DHCP_HOOK_IFLIST, 'w') as f:
+ f.write(" ".join(ipsec['dhcp_no_address'].values()))
- data = ipsec
- data['authby'] = authby_translate
- data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers}
- data['rsa_local_key'] = verify_rsa_local_key(ipsec)
+ data = ipsec
+ data['rsa_local_key'] = verify_rsa_local_key(ipsec)
- for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
- if not os.path.exists(path):
- os.mkdir(path, mode=0o755)
+ for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
+ if not os.path.exists(path):
+ os.mkdir(path, mode=0o755)
- if not os.path.exists(KEY_PATH):
- os.mkdir(KEY_PATH, mode=0o700)
+ if not os.path.exists(KEY_PATH):
+ os.mkdir(KEY_PATH, mode=0o700)
- if 'site_to_site' in data and 'peer' in data['site_to_site']:
- for peer, peer_conf in ipsec['site_to_site']['peer'].items():
- if peer in ipsec['dhcp_no_address']:
- continue
+ if 'site_to_site' in data and 'peer' in data['site_to_site']:
+ for peer, peer_conf in ipsec['site_to_site']['peer'].items():
+ if peer in ipsec['dhcp_no_address']:
+ continue
- if peer_conf['authentication']['mode'] == 'x509':
- generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
+ if peer_conf['authentication']['mode'] == 'x509':
+ generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
- local_ip = ''
- if 'local_address' in peer_conf:
- local_ip = peer_conf['local_address']
- elif 'dhcp_interface' in peer_conf:
- local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+ local_ip = ''
+ if 'local_address' in peer_conf:
+ local_ip = peer_conf['local_address']
+ elif 'dhcp_interface' in peer_conf:
+ local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
- data['site_to_site']['peer'][peer]['local_address'] = local_ip
+ data['site_to_site']['peer'][peer]['local_address'] = local_ip
- if 'tunnel' in peer_conf:
- for tunnel, tunnel_conf in peer_conf['tunnel'].items():
- local_prefixes = dict_search('local.prefix', tunnel_conf)
- remote_prefixes = dict_search('remote.prefix', tunnel_conf)
+ if 'tunnel' in peer_conf:
+ for tunnel, tunnel_conf in peer_conf['tunnel'].items():
+ local_prefixes = dict_search('local.prefix', tunnel_conf)
+ remote_prefixes = dict_search('remote.prefix', tunnel_conf)
- if not local_prefixes or not remote_prefixes:
- continue
+ if not local_prefixes or not remote_prefixes:
+ continue
- passthrough = []
+ passthrough = []
- for local_prefix in local_prefixes:
- for remote_prefix in remote_prefixes:
- local_net = ipaddress.ip_network(local_prefix)
- remote_net = ipaddress.ip_network(remote_prefix)
- if local_net.overlaps(remote_net):
- passthrough.append(local_prefix)
+ for local_prefix in local_prefixes:
+ for remote_prefix in remote_prefixes:
+ local_net = ipaddress.ip_network(local_prefix)
+ remote_net = ipaddress.ip_network(remote_prefix)
+ if local_net.overlaps(remote_net):
+ passthrough.append(local_prefix)
- data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
+ data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
if 'logging' in ipsec and 'log_modes' in ipsec['logging']:
modes = ipsec['logging']['log_modes']
@@ -448,7 +375,7 @@ def apply(ipsec):
if not ipsec:
call('sudo /usr/sbin/ipsec stop')
else:
- should_start = ('profile' in ipsec or dict_search('site_to_site.peer', ipsec))
+ should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec)
if not process_named_running('charon') and should_start:
args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else ''