diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-19 19:01:43 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-19 19:01:43 +0200 |
| commit | 9556d78b1d54c7320a0154990c61d23c6197c38f (patch) | |
| tree | b04a677d46bc5e4055b96452f73ca44de392cb2f /interface-definitions | |
| parent | 48c768abbf53b752a55db2adea1f998cb28da55c (diff) | |
| download | vyos-1x-9556d78b1d54c7320a0154990c61d23c6197c38f.tar.gz vyos-1x-9556d78b1d54c7320a0154990c61d23c6197c38f.zip | |
ipsec: T1210: split out pool from remote-access configuration
Remote access IP pools can now be defined at a global level and referenced
in IPSec remote-access connections. To defined a pool use:
set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1'
set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24'
set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1'
set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64'
A connection can then reference the pool:
set vpn ipsec remote-access connection foo pool 'global-ipv4'
set vpn ipsec remote-access connection foo pool 'global-ipv6'
Diffstat (limited to 'interface-definitions')
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 179 |
1 files changed, 98 insertions, 81 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 14063091d..5272b57cc 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -647,7 +647,7 @@ <help>remote-access global options</help> </properties> <children> - <node name="dhcp-pool"> + <node name="dhcp"> <properties> <help>DHCP pool options for remote-access</help> </properties> @@ -665,8 +665,11 @@ <help>DHCP server address</help> <valueHelp> <format>ipv4</format> - <description>IPv4 address of the DHCP server</description> + <description>DHCP server IPv4 address</description> </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> </children> @@ -725,98 +728,126 @@ #include <include/ipsec/ike-group.xml.i> </children> </tagNode> - <tagNode name="remote-access"> + <node name="remote-access"> <properties> - <help>Remote access IKEv2 VPN </help> + <help>IKEv2 remote access VPN</help> </properties> <children> - <node name="authentication"> + <tagNode name="connection"> <properties> - <help>Authentication for remote access</help> + <help>IKEv2 VPN connection name</help> </properties> <children> - #include <include/ipsec/authentication-id.xml.i> - #include <include/ipsec/authentication-x509.xml.i> - <leafNode name="client-mode"> - <properties> - <help>Client authentication mode</help> - <completionHelp> - <list>eap-tls eap-mschapv2</list> - </completionHelp> - <valueHelp> - <format>eap-tls</format> - <description>EAP-TLS</description> - </valueHelp> - <valueHelp> - <format>eap-mschapv2</format> - <description>EAP-MSCHAPv2</description> - </valueHelp> - <constraint> - <regex>^(eap-tls|eap-mschapv2)$</regex> - </constraint> - </properties> - <defaultValue>eap-mschapv2</defaultValue> - </leafNode> - <node name="local-users"> + <node name="authentication"> <properties> - <help>Local user authentication for PPPoE server</help> + <help>Authentication for remote access</help> </properties> <children> - <tagNode name="username"> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-x509.xml.i> + <leafNode name="client-mode"> + <properties> + <help>Client authentication mode</help> + <completionHelp> + <list>eap-tls eap-mschapv2</list> + </completionHelp> + <valueHelp> + <format>eap-tls</format> + <description>EAP-TLS</description> + </valueHelp> + <valueHelp> + <format>eap-mschapv2</format> + <description>EAP-MSCHAPv2</description> + </valueHelp> + <constraint> + <regex>^(eap-tls|eap-mschapv2)$</regex> + </constraint> + </properties> + <defaultValue>eap-mschapv2</defaultValue> + </leafNode> + <node name="local-users"> <properties> - <help>User name for authentication</help> + <help>Local user authentication for PPPoE server</help> </properties> <children> - #include <include/generic-disable-node.xml.i> - <leafNode name="password"> + <tagNode name="username"> <properties> - <help>Password for authentication</help> + <help>User name for authentication</help> </properties> - </leafNode> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="password"> + <properties> + <help>Password for authentication</help> + </properties> + </leafNode> + </children> + </tagNode> </children> - </tagNode> + </node> + <leafNode name="server-mode"> + <properties> + <help>Server authentication mode</help> + <completionHelp> + <list>pre-shared-secret x509</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>pre-shared-secret_description</description> + </valueHelp> + <valueHelp> + <format>x509</format> + <description>x509_description</description> + </valueHelp> + <constraint> + <regex>^(pre-shared-secret|x509)$</regex> + </constraint> + </properties> + <defaultValue>x509</defaultValue> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> </node> - <leafNode name="server-mode"> + #include <include/generic-description.xml.i> + #include <include/generic-disable-node.xml.i> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + #include <include/ipsec/local-address.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + <leafNode name="timeout"> <properties> - <help>Server authentication mode</help> - <completionHelp> - <list>pre-shared-secret x509</list> - </completionHelp> - <valueHelp> - <format>pre-shared-secret</format> - <description>pre-shared-secret_description</description> - </valueHelp> + <help>Timeout to close connection if no data is transmitted</help> <valueHelp> - <format>x509</format> - <description>x509_description</description> + <format>u32:10-86400</format> + <description>Timeout in seconds (default 28800)</description> </valueHelp> <constraint> - <regex>^(pre-shared-secret|x509)$</regex> + <validator name="numeric" argument="--range 10-86400"/> </constraint> </properties> - <defaultValue>x509</defaultValue> + <defaultValue>28800</defaultValue> + </leafNode> + <leafNode name="pool"> + <properties> + <help>Pool name used for IP address assignments</help> + <completionHelp> + <path>vpn ipsec remote-access pool</path> + <list>dhcp</list> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Pool name</description> + </valueHelp> + <multi/> + </properties> </leafNode> - #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> - </node> - #include <include/generic-description.xml.i> - #include <include/generic-disable-node.xml.i> - #include <include/ipsec/esp-group.xml.i> - #include <include/ipsec/ike-group.xml.i> - #include <include/ipsec/local-address.xml.i> - #include <include/ipsec/local-traffic-selector.xml.i> - <node name="pool"> + </tagNode> + <tagNode name="pool"> <properties> <help>IP address pool for remote-access users</help> </properties> <children> - <leafNode name="dhcp-enable"> - <properties> - <help>Enable DHCP pool for clients on this connection</help> - <valueless/> - </properties> - </leafNode> <leafNode name="exclude"> <properties> <help>Local IPv4 or IPv6 pool prefix exclusions</help> @@ -850,28 +881,14 @@ <validator name="ipv4-prefix"/> <validator name="ipv6-prefix"/> </constraint> - <multi/> </properties> </leafNode> <!-- Include Accel-PPP definition here, maybe time for a rename? --> #include <include/accel-ppp/name-server.xml.i> </children> - </node> - <leafNode name="timeout"> - <properties> - <help>Timeout to close connection if no data is transmitted</help> - <valueHelp> - <format>u32:10-86400</format> - <description>Timeout in seconds (default 28800)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 10-86400"/> - </constraint> - </properties> - <defaultValue>28800</defaultValue> - </leafNode> + </tagNode> </children> - </tagNode> + </node> <node name="site-to-site"> <properties> <help>Site-to-site VPN</help> |