summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:42:03 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 15:42:03 +0200
commitdcfeb0de0a510d00c37101da50205b51dd464d72 (patch)
tree4352ed737a931a3d6fbbfb6ecd99cfb84f34661f /src
parent13924804aafa9a43b4a300fb9afbdf29b69603fb (diff)
parent1e74c0df2179c60036e440e15ed9036163039b2a (diff)
downloadvyos-1x-dcfeb0de0a510d00c37101da50205b51dd464d72.tar.gz
vyos-1x-dcfeb0de0a510d00c37101da50205b51dd464d72.zip
Merge branch 'ipsec-ikev2-remote-access' of github.com:c-po/vyos-1x into current
* 'ipsec-ikev2-remote-access' of github.com:c-po/vyos-1x: ipsec: T2816: remove default values from Jinja2 template and place them in XML ipsec: T2816: rework IKE and ESP key assignment ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string ipsec: T2816: adjust Jinja2 template to coding style xml: provide building block for a generic description node
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py180
-rw-r--r--src/tests/test_template.py60
2 files changed, 121 insertions, 119 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ce72ee094..6d5d24e52 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -23,6 +23,7 @@ from time import sleep
from vyos.config import Config
from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
+from vyos.configdict import dict_merge
from vyos.ifconfig import Interface
from vyos.pki import wrap_certificate
from vyos.pki import wrap_crl
@@ -35,50 +36,16 @@ from vyos.util import call
from vyos.util import dict_search
from vyos.util import process_named_running
from vyos.util import run
+from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-authby_translate = {
- 'pre-shared-secret': 'psk',
- 'rsa': 'pubkey',
- 'x509': 'pubkey'
-}
-
-default_pfs = 'dh-group2'
-pfs_translate = {
- 'dh-group1' : 'modp768',
- 'dh-group2' : 'modp1024',
- 'dh-group5' : 'modp1536',
- 'dh-group14' : 'modp2048',
- 'dh-group15' : 'modp3072',
- 'dh-group16' : 'modp4096',
- 'dh-group17' : 'modp6144',
- 'dh-group18' : 'modp8192',
- 'dh-group19' : 'ecp256',
- 'dh-group20' : 'ecp384',
- 'dh-group21' : 'ecp512',
- 'dh-group22' : 'modp1024s160',
- 'dh-group23' : 'modp2048s224',
- 'dh-group24' : 'modp2048s256',
- 'dh-group25' : 'ecp192',
- 'dh-group26' : 'ecp224',
- 'dh-group27' : 'ecp224bp',
- 'dh-group28' : 'ecp256bp',
- 'dh-group29' : 'ecp384bp',
- 'dh-group30' : 'ecp512bp',
- 'dh-group31' : 'curve25519',
- 'dh-group32' : 'curve448'
-}
-
any_log_modes = [
'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn',
'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'
]
-ike_ciphers = {}
-esp_ciphers = {}
-
dhcp_wait_attempts = 2
dhcp_wait_sleep = 1
@@ -112,53 +79,32 @@ def get_config(config=None):
ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
- ipsec['dhcp_no_address'] = {}
- ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface'])
- ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings'])
- ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
- ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
- ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
- default_ike_pfs = None
-
- if 'ike_group' in ipsec:
- for group, ike_conf in ipsec['ike_group'].items():
- if 'proposal' in ike_conf:
- ciphers = []
- for i in ike_conf['proposal']:
- proposal = ike_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- pfs = ('dh-group' + proposal['dh_group']) if 'dh_group' in proposal else default_pfs
-
- if not default_ike_pfs:
- default_ike_pfs = pfs
-
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- ike_ciphers[group] = ','.join(ciphers)
-
if 'esp_group' in ipsec:
- for group, esp_conf in ipsec['esp_group'].items():
- pfs = esp_conf['pfs'] if 'pfs' in esp_conf else 'enable'
+ default_values = defaults(base + ['esp-group'])
+ for group in ipsec['esp_group']:
+ ipsec['esp_group'][group] = dict_merge(default_values,
+ ipsec['esp_group'][group])
- if pfs == 'disable':
- pfs = None
+ if 'ike_group' in ipsec:
+ default_values = defaults(base + ['ike-group'])
+ for group in ipsec['ike_group']:
+ ipsec['ike_group'][group] = dict_merge(default_values,
+ ipsec['ike_group'][group])
- if pfs == 'enable':
- pfs = default_ike_pfs
- if 'proposal' in esp_conf:
- ciphers = []
- for i in esp_conf['proposal']:
- proposal = esp_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- esp_ciphers[group] = ','.join(ciphers)
+ ipsec['dhcp_no_address'] = {}
+ ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
+ 'interface'])
+ ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access',
+ 'ipsec-settings'])
+ ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
+ ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+ ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'],
+ key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
return ipsec
@@ -361,58 +307,54 @@ def generate(ipsec):
os.unlink(config_file)
return
- data = {}
- if ipsec:
- if ipsec['dhcp_no_address']:
- with open(DHCP_HOOK_IFLIST, 'w') as f:
- f.write(" ".join(ipsec['dhcp_no_address'].values()))
+ if ipsec['dhcp_no_address']:
+ with open(DHCP_HOOK_IFLIST, 'w') as f:
+ f.write(" ".join(ipsec['dhcp_no_address'].values()))
- data = ipsec
- data['authby'] = authby_translate
- data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers}
- data['rsa_local_key'] = verify_rsa_local_key(ipsec)
+ data = ipsec
+ data['rsa_local_key'] = verify_rsa_local_key(ipsec)
- for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
- if not os.path.exists(path):
- os.mkdir(path, mode=0o755)
+ for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
+ if not os.path.exists(path):
+ os.mkdir(path, mode=0o755)
- if not os.path.exists(KEY_PATH):
- os.mkdir(KEY_PATH, mode=0o700)
+ if not os.path.exists(KEY_PATH):
+ os.mkdir(KEY_PATH, mode=0o700)
- if 'site_to_site' in data and 'peer' in data['site_to_site']:
- for peer, peer_conf in ipsec['site_to_site']['peer'].items():
- if peer in ipsec['dhcp_no_address']:
- continue
+ if 'site_to_site' in data and 'peer' in data['site_to_site']:
+ for peer, peer_conf in ipsec['site_to_site']['peer'].items():
+ if peer in ipsec['dhcp_no_address']:
+ continue
- if peer_conf['authentication']['mode'] == 'x509':
- generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
+ if peer_conf['authentication']['mode'] == 'x509':
+ generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
- local_ip = ''
- if 'local_address' in peer_conf:
- local_ip = peer_conf['local_address']
- elif 'dhcp_interface' in peer_conf:
- local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+ local_ip = ''
+ if 'local_address' in peer_conf:
+ local_ip = peer_conf['local_address']
+ elif 'dhcp_interface' in peer_conf:
+ local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
- data['site_to_site']['peer'][peer]['local_address'] = local_ip
+ data['site_to_site']['peer'][peer]['local_address'] = local_ip
- if 'tunnel' in peer_conf:
- for tunnel, tunnel_conf in peer_conf['tunnel'].items():
- local_prefixes = dict_search('local.prefix', tunnel_conf)
- remote_prefixes = dict_search('remote.prefix', tunnel_conf)
+ if 'tunnel' in peer_conf:
+ for tunnel, tunnel_conf in peer_conf['tunnel'].items():
+ local_prefixes = dict_search('local.prefix', tunnel_conf)
+ remote_prefixes = dict_search('remote.prefix', tunnel_conf)
- if not local_prefixes or not remote_prefixes:
- continue
+ if not local_prefixes or not remote_prefixes:
+ continue
- passthrough = []
+ passthrough = []
- for local_prefix in local_prefixes:
- for remote_prefix in remote_prefixes:
- local_net = ipaddress.ip_network(local_prefix)
- remote_net = ipaddress.ip_network(remote_prefix)
- if local_net.overlaps(remote_net):
- passthrough.append(local_prefix)
+ for local_prefix in local_prefixes:
+ for remote_prefix in remote_prefixes:
+ local_net = ipaddress.ip_network(local_prefix)
+ remote_net = ipaddress.ip_network(remote_prefix)
+ if local_net.overlaps(remote_net):
+ passthrough.append(local_prefix)
- data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
+ data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
if 'logging' in ipsec and 'log_modes' in ipsec['logging']:
modes = ipsec['logging']['log_modes']
@@ -448,7 +390,7 @@ def apply(ipsec):
if not ipsec:
call('sudo /usr/sbin/ipsec stop')
else:
- should_start = ('profile' in ipsec or dict_search('site_to_site.peer', ipsec))
+ should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec)
if not process_named_running('charon') and should_start:
args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else ''
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index 67c0fe84a..2d065f545 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase):
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48'))
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64'))
self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64'))
+
+ def test_cipher_to_string(self):
+ ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256'
+ IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024'
+
+ data = {
+ 'esp_group': {
+ 'ESP_DEFAULT': {
+ 'compression': 'disable',
+ 'lifetime': '3600',
+ 'mode': 'tunnel',
+ 'pfs': 'dh-group19',
+ 'proposal': {
+ '10': {
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256',
+ },
+ '20': {
+ 'encryption': 'aes128ccm64',
+ 'hash': 'sha256',
+ }
+ }
+ }
+ },
+ 'ike_group': {
+ 'IKEv2_DEFAULT': {
+ 'close_action': 'none',
+ 'dead_peer_detection': {
+ 'action': 'hold',
+ 'interval': '30',
+ 'timeout': '120'
+ },
+ 'ikev2_reauth': 'no',
+ 'key_exchange': 'ikev2',
+ 'lifetime': '10800',
+ 'mobike': 'disable',
+ 'proposal': {
+ '10': {
+ 'dh_group': '19',
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256'
+ },
+ '20': {
+ 'dh_group': '2',
+ 'encryption': 'aes128ccm128',
+ 'hash': 'md5_128'
+ },
+ }
+ }
+ },
+ }
+
+ for group_name, group_config in data['esp_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(ESP_DEFAULT, ','.join(ciphers))
+
+ for group_name, group_config in data['ike_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(IKEv2_DEFAULT, ','.join(ciphers))
+