diff options
author | Christian Breunig <christian@breunig.cc> | 2024-10-04 13:43:40 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-10-04 13:43:40 +0200 |
commit | 43e9082419e88f59a804eae16e3fc4e848f40fbd (patch) | |
tree | efab992f298e26dc2a731c3742a383b7fd138a37 /src/conf_mode/vpn_ipsec.py | |
parent | a60cd03068db703d71988788d5486ac22b028d0a (diff) | |
parent | 34bbc3be98d20b7ce704cc498f070e70bf8f0213 (diff) | |
download | vyos-1x-43e9082419e88f59a804eae16e3fc4e848f40fbd.tar.gz vyos-1x-43e9082419e88f59a804eae16e3fc4e848f40fbd.zip |
Merge pull request #4121 from natali-rs1985/T6101-current
ipsec: T6101: Add validation for proposal option used in IKE group
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index ca0c3657f..e22b7550c 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -214,6 +214,19 @@ def verify(ipsec): else: verify_interface_exists(ipsec, interface) + # need to use a pseudo-random function (PRF) with an authenticated encryption algorithm. + # If a hash algorithm is defined then it will be mapped to an equivalent PRF + if 'ike_group' in ipsec: + for _, ike_config in ipsec['ike_group'].items(): + for proposal, proposal_config in ike_config.get('proposal', {}).items(): + if 'encryption' in proposal_config and 'prf' not in proposal_config: + # list of hash algorithms that cannot be mapped to an equivalent PRF + algs = ['aes128gmac', 'aes192gmac', 'aes256gmac', 'sha256_96'] + if 'hash' in proposal_config and proposal_config['hash'] in algs: + raise ConfigError( + f"A PRF algorithm is mandatory in IKE proposal {proposal}" + ) + if 'l2tp' in ipsec: if 'esp_group' in ipsec['l2tp']: if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: |