summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-06-26 09:06:26 +0200
committerChristian Poessinger <christian@poessinger.com>2021-06-26 09:07:04 +0200
commit8108ca69e7d877f2af37bfce8c05a6054ed32775 (patch)
tree25f405de4423c16da68589e6c01757859cc80bc2 /src/conf_mode
parent03e1d273acf3c182da69013288eda3a8f274153b (diff)
downloadvyos-1x-8108ca69e7d877f2af37bfce8c05a6054ed32775.tar.gz
vyos-1x-8108ca69e7d877f2af37bfce8c05a6054ed32775.zip
ipsec: T3643: use variable for path names
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py75
1 files changed, 41 insertions, 34 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 433c51e7e..fa5ce34ca 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -40,30 +40,31 @@ authby_translate = {
'rsa': 'pubkey',
'x509': 'pubkey'
}
+
default_pfs = 'dh-group2'
pfs_translate = {
- 'dh-group1': 'modp768',
- 'dh-group2': 'modp1024',
- 'dh-group5': 'modp1536',
- 'dh-group14': 'modp2048',
- 'dh-group15': 'modp3072',
- 'dh-group16': 'modp4096',
- 'dh-group17': 'modp6144',
- 'dh-group18': 'modp8192',
- 'dh-group19': 'ecp256',
- 'dh-group20': 'ecp384',
- 'dh-group21': 'ecp512',
- 'dh-group22': 'modp1024s160',
- 'dh-group23': 'modp2048s224',
- 'dh-group24': 'modp2048s256',
- 'dh-group25': 'ecp192',
- 'dh-group26': 'ecp224',
- 'dh-group27': 'ecp224bp',
- 'dh-group28': 'ecp256bp',
- 'dh-group29': 'ecp384bp',
- 'dh-group30': 'ecp512bp',
- 'dh-group31': 'curve25519',
- 'dh-group32': 'curve448'
+ 'dh-group1' : 'modp768',
+ 'dh-group2' : 'modp1024',
+ 'dh-group5' : 'modp1536',
+ 'dh-group14' : 'modp2048',
+ 'dh-group15' : 'modp3072',
+ 'dh-group16' : 'modp4096',
+ 'dh-group17' : 'modp6144',
+ 'dh-group18' : 'modp8192',
+ 'dh-group19' : 'ecp256',
+ 'dh-group20' : 'ecp384',
+ 'dh-group21' : 'ecp512',
+ 'dh-group22' : 'modp1024s160',
+ 'dh-group23' : 'modp2048s224',
+ 'dh-group24' : 'modp2048s256',
+ 'dh-group25' : 'ecp192',
+ 'dh-group26' : 'ecp224',
+ 'dh-group27' : 'ecp224bp',
+ 'dh-group28' : 'ecp256bp',
+ 'dh-group29' : 'ecp384bp',
+ 'dh-group30' : 'ecp512bp',
+ 'dh-group31' : 'curve25519',
+ 'dh-group32' : 'curve448'
}
any_log_modes = [
@@ -79,13 +80,19 @@ dhcp_wait_sleep = 1
mark_base = 0x900000
-CERT_PATH="/etc/swanctl/x509/"
-KEY_PATH="/etc/swanctl/private/"
-CA_PATH = "/etc/swanctl/x509ca/"
-CRL_PATH = "/etc/swanctl/x509crl/"
+swanctl_dir = '/etc/swanctl'
+ipsec_conf = '/etc/ipsec.conf'
+ipsec_secrets = '/etc/ipsec.secrets'
+interface_conf = '/etc/strongswan.d/interfaces_use.conf'
+swanctl_conf = f'{swanctl_dir}/swanctl.conf'
+
+CERT_PATH = f'{swanctl_dir}/x509/'
+KEY_PATH = f'{swanctl_dir}/private/'
+CA_PATH = f'{swanctl_dir}/x509ca/'
+CRL_PATH = f'{swanctl_dir}/x509crl/'
-DHCP_BASE = "/var/lib/dhcp/dhclient"
-DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting"
+DHCP_BASE = '/var/lib/dhcp/dhclient'
+DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting'
LOCAL_KEY_PATHS = ['/config/auth/', '/config/ipsec.d/rsa-keys/']
X509_PATH = '/config/auth/'
@@ -105,8 +112,8 @@ def get_config(config=None):
ipsec['dhcp_no_address'] = {}
ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface'])
- ipsec['l2tp_exists'] = conf.exists('vpn l2tp remote-access ipsec-settings ')
- ipsec['nhrp_exists'] = conf.exists('protocols nhrp tunnel')
+ ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings'])
+ ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
@@ -383,10 +390,10 @@ def generate(ipsec):
modes = any_log_modes
data['charondebug'] = f' {level}, '.join(modes) + ' ' + level
- render("/etc/ipsec.conf", "ipsec/ipsec.conf.tmpl", data)
- render("/etc/ipsec.secrets", "ipsec/ipsec.secrets.tmpl", data)
- render("/etc/strongswan.d/interfaces_use.conf", "ipsec/interfaces_use.conf.tmpl", data)
- render("/etc/swanctl/swanctl.conf", "ipsec/swanctl.conf.tmpl", data)
+ render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data)
+ render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data)
+ render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', data)
+ render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', data)
def resync_l2tp(ipsec):
if ipsec and not ipsec['l2tp_exists']: