summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_ipsec.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:52:26 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-04 11:57:15 +0200
commitb2bf1592189fb9298f2a68272418a132a73f37bf (patch)
tree20599766a0c4d23bc0defb1add6e28221669836a /src/conf_mode/vpn_ipsec.py
parentce3847239493d76bd0462e2a7b1f5cca41c57457 (diff)
downloadvyos-1x-b2bf1592189fb9298f2a68272418a132a73f37bf.tar.gz
vyos-1x-b2bf1592189fb9298f2a68272418a132a73f37bf.zip
ipsec: T1210: T1251: IKEv2 road-warrior support
set vpn ipsec esp-group ESP-RW compression 'disable' set vpn ipsec esp-group ESP-RW lifetime '3600' set vpn ipsec esp-group ESP-RW pfs 'disable' set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1' set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' set vpn ipsec ike-group IKE-RW lifetime '10800' set vpn ipsec ike-group IKE-RW mobike 'enable' set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1' set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128' set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'dum0' set vpn ipsec remote-access rw authentication id 'vyos' set vpn ipsec remote-access rw authentication local-users username vyos password vyos set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw description 'asdf' set vpn ipsec remote-access rw esp-group 'ESP-RW' set vpn ipsec remote-access rw ike-group 'IKE-RW'
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py42
1 files changed, 21 insertions, 21 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d1b29ee9a..50223320d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -34,7 +34,6 @@ from vyos.template import render
from vyos.validate import is_ipv6_link_local
from vyos.util import call
from vyos.util import dict_search
-from vyos.util import process_named_running
from vyos.util import run
from vyos.xml import defaults
from vyos import ConfigError
@@ -81,6 +80,7 @@ def get_config(config=None):
# added in a more fine grained way later on
del default_values['esp_group']
del default_values['ike_group']
+ del default_values['remote_access']
ipsec = dict_merge(default_values, ipsec)
if 'esp_group' in ipsec:
@@ -88,12 +88,16 @@ def get_config(config=None):
for group in ipsec['esp_group']:
ipsec['esp_group'][group] = dict_merge(default_values,
ipsec['esp_group'][group])
-
if 'ike_group' in ipsec:
default_values = defaults(base + ['ike-group'])
for group in ipsec['ike_group']:
ipsec['ike_group'][group] = dict_merge(default_values,
ipsec['ike_group'][group])
+ if 'remote_access' in ipsec:
+ default_values = defaults(base + ['remote-access'])
+ for rw in ipsec['remote_access']:
+ ipsec['remote_access'][rw] = dict_merge(default_values,
+ ipsec['remote_access'][rw])
ipsec['dhcp_no_address'] = {}
ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
@@ -109,8 +113,6 @@ def get_config(config=None):
get_first_key=True,
no_tag_node_value_mangle=True)
- import pprint
- pprint.pprint(ipsec)
return ipsec
def get_rsa_local_key(ipsec):
@@ -326,6 +328,11 @@ def generate(ipsec):
if not os.path.exists(KEY_PATH):
os.mkdir(KEY_PATH, mode=0o700)
+ if 'remote_access' in ipsec:
+ for rw, rw_conf in ipsec['remote_access'].items():
+ if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']:
+ generate_pki_files(ipsec['pki'], rw_conf['authentication']['x509'])
+
if 'site_to_site' in data and 'peer' in data['site_to_site']:
for peer, peer_conf in ipsec['site_to_site']['peer'].items():
if peer in ipsec['dhcp_no_address']:
@@ -385,24 +392,17 @@ def resync_nhrp(ipsec):
def apply(ipsec):
if not ipsec:
- call('sudo /usr/sbin/ipsec stop')
+ call('sudo ipsec stop')
else:
- should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec)
-
- if not process_named_running('charon') and should_start:
- args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else ''
- call(f'sudo /usr/sbin/ipsec start {args}')
- elif not should_start:
- call('sudo /usr/sbin/ipsec stop')
- elif ipsec['interface_change']:
- call('sudo /usr/sbin/ipsec restart')
- else:
- call('sudo /usr/sbin/ipsec rereadall')
- call('sudo /usr/sbin/ipsec reload')
-
- if should_start:
- sleep(2) # Give charon enough time to start
- call('sudo /usr/sbin/swanctl -q')
+ args = ''
+ if 'auto_update' in ipsec:
+ args = '--auto-update ' + ipsec['auto_update']
+ call(f'sudo ipsec restart {args}')
+ call('sudo ipsec rereadall')
+ call('sudo ipsec reload')
+
+ sleep(5) # Give charon enough time to start
+ call('sudo swanctl -q')
resync_l2tp(ipsec)
resync_nhrp(ipsec)