diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-06-26 09:06:26 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-06-26 09:07:04 +0200 |
commit | 8108ca69e7d877f2af37bfce8c05a6054ed32775 (patch) | |
tree | 25f405de4423c16da68589e6c01757859cc80bc2 /src/conf_mode | |
parent | 03e1d273acf3c182da69013288eda3a8f274153b (diff) | |
download | vyos-1x-8108ca69e7d877f2af37bfce8c05a6054ed32775.tar.gz vyos-1x-8108ca69e7d877f2af37bfce8c05a6054ed32775.zip |
ipsec: T3643: use variable for path names
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 75 |
1 files changed, 41 insertions, 34 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 433c51e7e..fa5ce34ca 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -40,30 +40,31 @@ authby_translate = { 'rsa': 'pubkey', 'x509': 'pubkey' } + default_pfs = 'dh-group2' pfs_translate = { - 'dh-group1': 'modp768', - 'dh-group2': 'modp1024', - 'dh-group5': 'modp1536', - 'dh-group14': 'modp2048', - 'dh-group15': 'modp3072', - 'dh-group16': 'modp4096', - 'dh-group17': 'modp6144', - 'dh-group18': 'modp8192', - 'dh-group19': 'ecp256', - 'dh-group20': 'ecp384', - 'dh-group21': 'ecp512', - 'dh-group22': 'modp1024s160', - 'dh-group23': 'modp2048s224', - 'dh-group24': 'modp2048s256', - 'dh-group25': 'ecp192', - 'dh-group26': 'ecp224', - 'dh-group27': 'ecp224bp', - 'dh-group28': 'ecp256bp', - 'dh-group29': 'ecp384bp', - 'dh-group30': 'ecp512bp', - 'dh-group31': 'curve25519', - 'dh-group32': 'curve448' + 'dh-group1' : 'modp768', + 'dh-group2' : 'modp1024', + 'dh-group5' : 'modp1536', + 'dh-group14' : 'modp2048', + 'dh-group15' : 'modp3072', + 'dh-group16' : 'modp4096', + 'dh-group17' : 'modp6144', + 'dh-group18' : 'modp8192', + 'dh-group19' : 'ecp256', + 'dh-group20' : 'ecp384', + 'dh-group21' : 'ecp512', + 'dh-group22' : 'modp1024s160', + 'dh-group23' : 'modp2048s224', + 'dh-group24' : 'modp2048s256', + 'dh-group25' : 'ecp192', + 'dh-group26' : 'ecp224', + 'dh-group27' : 'ecp224bp', + 'dh-group28' : 'ecp256bp', + 'dh-group29' : 'ecp384bp', + 'dh-group30' : 'ecp512bp', + 'dh-group31' : 'curve25519', + 'dh-group32' : 'curve448' } any_log_modes = [ @@ -79,13 +80,19 @@ dhcp_wait_sleep = 1 mark_base = 0x900000 -CERT_PATH="/etc/swanctl/x509/" -KEY_PATH="/etc/swanctl/private/" -CA_PATH = "/etc/swanctl/x509ca/" -CRL_PATH = "/etc/swanctl/x509crl/" +swanctl_dir = '/etc/swanctl' +ipsec_conf = '/etc/ipsec.conf' +ipsec_secrets = '/etc/ipsec.secrets' +interface_conf = '/etc/strongswan.d/interfaces_use.conf' +swanctl_conf = f'{swanctl_dir}/swanctl.conf' + +CERT_PATH = f'{swanctl_dir}/x509/' +KEY_PATH = f'{swanctl_dir}/private/' +CA_PATH = f'{swanctl_dir}/x509ca/' +CRL_PATH = f'{swanctl_dir}/x509crl/' -DHCP_BASE = "/var/lib/dhcp/dhclient" -DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" +DHCP_BASE = '/var/lib/dhcp/dhclient' +DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting' LOCAL_KEY_PATHS = ['/config/auth/', '/config/ipsec.d/rsa-keys/'] X509_PATH = '/config/auth/' @@ -105,8 +112,8 @@ def get_config(config=None): ipsec['dhcp_no_address'] = {} ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface']) - ipsec['l2tp_exists'] = conf.exists('vpn l2tp remote-access ipsec-settings ') - ipsec['nhrp_exists'] = conf.exists('protocols nhrp tunnel') + ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings']) + ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) @@ -383,10 +390,10 @@ def generate(ipsec): modes = any_log_modes data['charondebug'] = f' {level}, '.join(modes) + ' ' + level - render("/etc/ipsec.conf", "ipsec/ipsec.conf.tmpl", data) - render("/etc/ipsec.secrets", "ipsec/ipsec.secrets.tmpl", data) - render("/etc/strongswan.d/interfaces_use.conf", "ipsec/interfaces_use.conf.tmpl", data) - render("/etc/swanctl/swanctl.conf", "ipsec/swanctl.conf.tmpl", data) + render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data) + render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data) + render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', data) + render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', data) def resync_l2tp(ipsec): if ipsec and not ipsec['l2tp_exists']: |