diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-01-17 11:04:08 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-01-26 11:28:03 +0000 |
| commit | 7ae0b404ad9fdefa856c7e450b224b47d854a4eb (patch) | |
| tree | aa8fca32cc1f6a83cc8d5bfaccde866338bf3b6c /src/conf_mode | |
| parent | fc1c93a141bd095884088a8fa6f935d642bf6528 (diff) | |
| download | vyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.tar.gz vyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.zip | |
T4916: Rewrite IPsec peer authentication and psk migration
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 3af2af4d9..ce4f13d27 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2022 VyOS maintainers and contributors +# Copyright (C) 2021-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -17,6 +17,7 @@ import ipaddress import os import re +import jmespath from sys import exit from time import sleep @@ -219,6 +220,12 @@ def verify(ipsec): if not ipsec: return None + if 'authentication' in ipsec: + if 'psk' in ipsec['authentication']: + for psk, psk_config in ipsec['authentication']['psk'].items(): + if 'id' not in psk_config or 'secret' not in psk_config: + raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"') + if 'interfaces' in ipsec : for ifname in ipsec['interface']: verify_interface_exists(ifname) @@ -602,6 +609,14 @@ def generate(ipsec): ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough + # auth psk <tag> dhcp-interface <xxx> + if jmespath.search('authentication.psk.*.dhcp_interface', ipsec): + for psk, psk_config in ipsec['authentication']['psk'].items(): + if 'dhcp_interface' in psk_config: + for iface in psk_config['dhcp_interface']: + id = get_dhcp_address(iface) + if id: + ipsec['authentication']['psk'][psk]['id'].append(id) render(ipsec_conf, 'ipsec/ipsec.conf.j2', ipsec) render(ipsec_secrets, 'ipsec/ipsec.secrets.j2', ipsec) |