summaryrefslogtreecommitdiff
path: root/src/migration-scripts/ipsec/10-to-11
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2023-01-17 11:04:08 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2023-01-26 11:28:03 +0000
commit7ae0b404ad9fdefa856c7e450b224b47d854a4eb (patch)
treeaa8fca32cc1f6a83cc8d5bfaccde866338bf3b6c /src/migration-scripts/ipsec/10-to-11
parentfc1c93a141bd095884088a8fa6f935d642bf6528 (diff)
downloadvyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.tar.gz
vyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.zip
T4916: Rewrite IPsec peer authentication and psk migration
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
Diffstat (limited to 'src/migration-scripts/ipsec/10-to-11')
-rwxr-xr-xsrc/migration-scripts/ipsec/10-to-1185
1 files changed, 85 insertions, 0 deletions
diff --git a/src/migration-scripts/ipsec/10-to-11 b/src/migration-scripts/ipsec/10-to-11
new file mode 100755
index 000000000..ec38d0034
--- /dev/null
+++ b/src/migration-scripts/ipsec/10-to-11
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['vpn', 'ipsec']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+# PEER changes
+if config.exists(base + ['site-to-site', 'peer']):
+ for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+ peer_base = base + ['site-to-site', 'peer', peer]
+
+ # replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
+ # => 'ipsec authentication psk <tag> secret xxx'
+ if config.exists(peer_base + ['authentication', 'pre-shared-secret']):
+ tmp = config.return_value(peer_base + ['authentication', 'pre-shared-secret'])
+ config.delete(peer_base + ['authentication', 'pre-shared-secret'])
+ config.set(base + ['authentication', 'psk', peer, 'secret'], value=tmp)
+ # format as tag node to avoid loading problems
+ config.set_tag(base + ['authentication', 'psk'])
+
+ # Get id's from peers for "ipsec auth psk <tag> id xxx"
+ if config.exists(peer_base + ['authentication', 'local-id']):
+ local_id = config.return_value(peer_base + ['authentication', 'local-id'])
+ config.set(base + ['authentication', 'psk', peer, 'id'], value=local_id, replace=False)
+ if config.exists(peer_base + ['authentication', 'remote-id']):
+ remote_id = config.return_value(peer_base + ['authentication', 'remote-id'])
+ config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_id, replace=False)
+
+ if config.exists(peer_base + ['local-address']):
+ tmp = config.return_value(peer_base + ['local-address'])
+ config.set(base + ['authentication', 'psk', peer, 'id'], value=tmp, replace=False)
+ if config.exists(peer_base + ['remote-address']):
+ tmp = config.return_value(peer_base + ['remote-address'])
+ if tmp:
+ for remote_addr in tmp:
+ if remote_addr == 'any':
+ remote_addr = '%any'
+ config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_addr, replace=False)
+
+ # get DHCP peer interface as psk dhcp-interface
+ if config.exists(peer_base + ['dhcp-interface']):
+ tmp = config.return_value(peer_base + ['dhcp-interface'])
+ config.set(base + ['authentication', 'psk', peer, 'dhcp-interface'], value=tmp)
+
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print(f'Failed to save the modified config: {e}')
+ exit(1)