diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
| commit | 0751065ffa2161bedd040197dd51ad6ece5ab19b (patch) | |
| tree | 7fcbdbe7dbc35e1f2b71b383485fd3017ac83fb7 /src/conf_mode/interfaces-vti.py | |
| parent | 5a5c0cd2e6f5d6c459a7f0e2da777834fb4362b2 (diff) | |
| download | vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.tar.gz vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.zip | |
ipsec: T1441: switch from vti to xfrm interfaces
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
Diffstat (limited to 'src/conf_mode/interfaces-vti.py')
| -rwxr-xr-x | src/conf_mode/interfaces-vti.py | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py index 6ff23ae59..1b38304c1 100755 --- a/src/conf_mode/interfaces-vti.py +++ b/src/conf_mode/interfaces-vti.py @@ -36,40 +36,9 @@ def get_config(config=None): conf = Config() base = ['interfaces', 'vti'] vti = get_interface_dict(conf, base) - - # VTI is more then an interface - we retrieve the "real" configuration from - # the IPsec peer configuration which binds this VTI - conf.set_level([]) - vti['ipsec'] = conf.get_config_dict(['vpn', 'ipsec', 'site-to-site', 'peer'], - key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - for peer, peer_config in vti['ipsec'].items(): - if dict_search('vti.bind', peer_config) == vti['ifname']: - vti['remote'] = peer - if 'local_address' in peer_config: - vti['source_address'] = peer_config['local_address'] - # we also need to "calculate" a per vti individual key - base = 0x900000 - vti['key'] = base + int(vti['ifname'].lstrip('vti')) - return vti def verify(vti): - if 'deleted' in vti: - return None - - ifname = vti['ifname'] - found = False - for peer, peer_config in vti['ipsec'].items(): - if dict_search('vti.bind', peer_config) == ifname: - found = True - # we can now stop processing the for loop - break - if not found: - tmp = vti['ifname'] - raise ConfigError(f'Interface "{ifname}" not referenced in any VPN configuration!') - return None def generate(vti): |