summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
commita1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (patch)
tree7e44119b3054f54d18e216a8f63e84346e92073d /data
parent2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (diff)
downloadvyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.tar.gz
vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.zip
ipsec: T2816: rework IKE and ESP key assignment
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
Diffstat (limited to 'data')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl34
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl24
-rw-r--r--data/templates/ipsec/swanctl/profile.tmpl13
3 files changed, 32 insertions, 39 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 116d62beb..cafe52e78 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,25 +1,17 @@
### Autogenerated by vpn_ipsec.py ###
-
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% if profile is defined or site_to_site is defined %}
connections {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{% endfor %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
{% endif %}
}
@@ -38,9 +30,9 @@ secrets {
{% if site_to_site is defined and site_to_site.peer is defined %}
{% set ns = namespace(local_key_set=False) %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{% set peer_name = peer.replace(".", "-").replace("@", "") %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
- ike_{{ peer_conn_name }} {
+ ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
@@ -54,7 +46,7 @@ secrets {
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
{% elif peer_conf.authentication.mode == 'x509' %}
- private_{{ peer_conn_name }} {
+ private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
@@ -69,4 +61,4 @@ secrets {
{% endfor %}
{% endif %}
}
-{% endif %}
+
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 7cc3fa29f..0559d1dac 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -1,7 +1,10 @@
-{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %}
+{% macro conn(peer, peer_conf, ike_group, esp_group) %}
+{% set name = peer.replace(".", "-").replace("@", "") %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
- proposals = {{ ciphers.ike[peer_conf.ike_group] }}
- version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }}
+ proposals = {{ ike | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
@@ -31,9 +34,7 @@
{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
@@ -46,9 +47,7 @@
{% elif peer[0:1] == '@' %}
id = "{{ peer }}"
{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub
{% endif %}
@@ -57,7 +56,7 @@
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
peer_{{ name }}_vti {
- esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }}
+ esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
@@ -77,8 +76,7 @@
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
}
-{% endif %}
-{% if peer_conf.tunnel is defined %}
+{% elif peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
@@ -88,7 +86,7 @@
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
- esp_proposals = {{ ciphers.esp[tunnel_esp_name] }}
+ esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }}
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index f6f6f4d70..0360972f6 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -1,9 +1,12 @@
-{% macro conn(name, profile_conf, ike, esp, ciphers) %}
+{% macro conn(name, profile_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[profile_conf.ike_group] %}
+{% set esp = esp_group[profile_conf.esp_group] %}
{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% for interface in profile_conf.bind.tunnel %}
dmvpn-{{ name }}-{{ interface }} {
- proposals = {{ ciphers.ike[profile_conf.ike_group] }}
- version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }}
+ proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s
keyingtries = 0
{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
@@ -16,12 +19,12 @@
{% endif %}
children {
dmvpn {
- esp_proposals = {{ ciphers.esp[profile_conf.esp_group] }}
+ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
- mode = {{ esp.mode if esp.mode is defined else "transport" }}
+ mode = {{ esp.mode if esp.mode is defined else 'transport' }}
{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}