diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-03 15:31:38 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-07-03 15:31:38 +0200 |
commit | a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (patch) | |
tree | 7e44119b3054f54d18e216a8f63e84346e92073d /data | |
parent | 2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (diff) | |
download | vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.tar.gz vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.zip |
ipsec: T2816: rework IKE and ESP key assignment
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 34 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 24 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/profile.tmpl | 13 |
3 files changed, 32 insertions, 39 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 116d62beb..cafe52e78 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -1,25 +1,17 @@ ### Autogenerated by vpn_ipsec.py ### - {% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} {% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} -{% if profile is defined or site_to_site is defined %} connections { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} -{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} -{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }} -{% endfor %} -{% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} -{% set peer_ike = ike_group[peer_conf.ike_group] %} -{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %} -{% set auth_type = authby[peer_conf.authentication.mode] %} -{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }} -{% endfor %} +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} {% endif %} } @@ -38,9 +30,9 @@ secrets { {% if site_to_site is defined and site_to_site.peer is defined %} {% set ns = namespace(local_key_set=False) %} {% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} +{% set peer_name = peer.replace(".", "-").replace("@", "") %} {% if peer_conf.authentication.mode == 'pre-shared-secret' %} - ike_{{ peer_conn_name }} { + ike_{{ peer_name }} { {% if peer_conf.local_address is defined %} id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} {% endif %} @@ -54,7 +46,7 @@ secrets { secret = "{{ peer_conf.authentication.pre_shared_secret }}" } {% elif peer_conf.authentication.mode == 'x509' %} - private_{{ peer_conn_name }} { + private_{{ peer_name }} { file = {{ peer_conf.authentication.x509.certificate }}.pem {% if peer_conf.authentication.x509.passphrase is defined %} secret = "{{ peer_conf.authentication.x509.passphrase }}" @@ -69,4 +61,4 @@ secrets { {% endfor %} {% endif %} } -{% endif %} + diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 7cc3fa29f..0559d1dac 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -1,7 +1,10 @@ -{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %} +{% macro conn(peer, peer_conf, ike_group, esp_group) %} +{% set name = peer.replace(".", "-").replace("@", "") %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { - proposals = {{ ciphers.ike[peer_conf.ike_group] }} - version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }} + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} {% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} @@ -31,9 +34,7 @@ {% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %} id = "{{ peer_conf.authentication.id }}" {% endif %} -{% if auth_type %} - auth = {{ auth_type }} -{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'x509' %} certs = {{ peer_conf.authentication.x509.certificate }}.pem {% elif peer_conf.authentication.mode == 'rsa' %} @@ -46,9 +47,7 @@ {% elif peer[0:1] == '@' %} id = "{{ peer }}" {% endif %} -{% if auth_type %} - auth = {{ auth_type }} -{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'rsa' %} pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub {% endif %} @@ -57,7 +56,7 @@ {% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} {% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %} peer_{{ name }}_vti { - esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }} + esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }} local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" @@ -77,8 +76,7 @@ dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} } -{% endif %} -{% if peer_conf.tunnel is defined %} +{% elif peer_conf.tunnel is defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} {% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} {% set tunnel_esp = esp_group[tunnel_esp_name] %} @@ -88,7 +86,7 @@ {% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { - esp_proposals = {{ ciphers.esp[tunnel_esp_name] }} + esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }} {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl index f6f6f4d70..0360972f6 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -1,9 +1,12 @@ -{% macro conn(name, profile_conf, ike, esp, ciphers) %} +{% macro conn(name, profile_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} {% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { - proposals = {{ ciphers.ike[profile_conf.ike_group] }} - version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }} + proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s keyingtries = 0 {% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} @@ -16,12 +19,12 @@ {% endif %} children { dmvpn { - esp_proposals = {{ ciphers.esp[profile_conf.esp_group] }} + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] - mode = {{ esp.mode if esp.mode is defined else "transport" }} + mode = {{ esp.mode if esp.mode is defined else 'transport' }} {% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} |