diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
commit | 0751065ffa2161bedd040197dd51ad6ece5ab19b (patch) | |
tree | 7fcbdbe7dbc35e1f2b71b383485fd3017ac83fb7 /src/conf_mode/vpn_ipsec.py | |
parent | 5a5c0cd2e6f5d6c459a7f0e2da777834fb4362b2 (diff) | |
download | vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.tar.gz vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.zip |
ipsec: T1441: switch from vti to xfrm interfaces
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 18 |
1 files changed, 6 insertions, 12 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index d598ff6da..83c99798c 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -79,8 +79,6 @@ esp_ciphers = {} dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 -mark_base = 0x900000 - swanctl_dir = '/etc/swanctl' ipsec_conf = '/etc/ipsec.conf' ipsec_secrets = '/etc/ipsec.secrets' @@ -321,8 +319,13 @@ def verify(ipsec): raise ConfigError(f"Local/remote prefix cannot be used with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}") def generate(ipsec): - data = {} + if not ipsec: + for config_file in [ipsec_conf, ipsec_secrets, interface_conf, swanctl_conf]: + if os.path.isfile(config_file): + os.unlink(config_file) + return + data = {} if ipsec: if ipsec['dhcp_no_address']: with open(DHCP_HOOK_IFLIST, 'w') as f: @@ -331,7 +334,6 @@ def generate(ipsec): data = ipsec data['authby'] = authby_translate data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers} - data['marks'] = {} data['rsa_local_key'] = verify_rsa_local_key(ipsec) if 'site_to_site' in data and 'peer' in data['site_to_site']: @@ -361,10 +363,6 @@ def generate(ipsec): data['site_to_site']['peer'][peer]['local_address'] = local_ip - if 'vti' in peer_conf and 'bind' in peer_conf['vti']: - vti_interface = peer_conf['vti']['bind'] - data['marks'][vti_interface] = get_mark(vti_interface) - if 'tunnel' in peer_conf: for tunnel, tunnel_conf in peer_conf['tunnel'].items(): local_prefixes = dict_search('local.prefix', tunnel_conf) @@ -436,10 +434,6 @@ def apply(ipsec): resync_l2tp(ipsec) resync_nhrp(ipsec) -def get_mark(vti_interface): - vti_num = int(vti_interface.lstrip('vti')) - return mark_base + vti_num - if __name__ == '__main__': try: ipsec = get_config() |