summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-vti.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-06-28 22:58:24 +0200
committerChristian Poessinger <christian@poessinger.com>2021-06-28 22:58:24 +0200
commit0751065ffa2161bedd040197dd51ad6ece5ab19b (patch)
tree7fcbdbe7dbc35e1f2b71b383485fd3017ac83fb7 /src/conf_mode/interfaces-vti.py
parent5a5c0cd2e6f5d6c459a7f0e2da777834fb4362b2 (diff)
downloadvyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.tar.gz
vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.zip
ipsec: T1441: switch from vti to xfrm interfaces
XFRM interfaces are similar to VTI devices in their basic functionality but offer several advantages: * No tunnel endpoint addresses have to be configured on the interfaces. Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints, this resolves issues with wildcard addresses (only one VTI with wildcard endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and easily allows SAs with multiple peers to share the same interface. * Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on the same interface (VTI devices only support one address family). * IPsec modes other than tunnel are supported (VTI devices only support tunnel mode). * No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.
Diffstat (limited to 'src/conf_mode/interfaces-vti.py')
-rwxr-xr-xsrc/conf_mode/interfaces-vti.py31
1 files changed, 0 insertions, 31 deletions
diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py
index 6ff23ae59..1b38304c1 100755
--- a/src/conf_mode/interfaces-vti.py
+++ b/src/conf_mode/interfaces-vti.py
@@ -36,40 +36,9 @@ def get_config(config=None):
conf = Config()
base = ['interfaces', 'vti']
vti = get_interface_dict(conf, base)
-
- # VTI is more then an interface - we retrieve the "real" configuration from
- # the IPsec peer configuration which binds this VTI
- conf.set_level([])
- vti['ipsec'] = conf.get_config_dict(['vpn', 'ipsec', 'site-to-site', 'peer'],
- key_mangling=('-', '_'), get_first_key=True,
- no_tag_node_value_mangle=True)
-
- for peer, peer_config in vti['ipsec'].items():
- if dict_search('vti.bind', peer_config) == vti['ifname']:
- vti['remote'] = peer
- if 'local_address' in peer_config:
- vti['source_address'] = peer_config['local_address']
- # we also need to "calculate" a per vti individual key
- base = 0x900000
- vti['key'] = base + int(vti['ifname'].lstrip('vti'))
-
return vti
def verify(vti):
- if 'deleted' in vti:
- return None
-
- ifname = vti['ifname']
- found = False
- for peer, peer_config in vti['ipsec'].items():
- if dict_search('vti.bind', peer_config) == ifname:
- found = True
- # we can now stop processing the for loop
- break
- if not found:
- tmp = vti['ifname']
- raise ConfigError(f'Interface "{ifname}" not referenced in any VPN configuration!')
-
return None
def generate(vti):