diff options
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | interface-definitions/include/vpn-ipsec-encryption.xml.i | 233 | ||||
-rw-r--r-- | interface-definitions/include/vpn-ipsec-hash.xml.i | 65 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 1188 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 67 |
5 files changed, 1554 insertions, 0 deletions
@@ -84,6 +84,7 @@ interface_definitions: $(BUILD_DIR) $(obj) rm -f $(TMPL_DIR)/system/node.def rm -f $(TMPL_DIR)/vpn/node.def rm -f $(TMPL_DIR)/vpn/ipsec/node.def + rm -rf $(TMPL_DIR)/vpn/nipsec .PHONY: op_mode_definitions .ONESHELL: diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i new file mode 100644 index 000000000..1c1d728fc --- /dev/null +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -0,0 +1,233 @@ +<!-- included start from vpn-ipsec-encryption.xml.i --> + <leafNode name="encryption"> + <properties> + <help>Encryption algorithm</help> + <completionHelp> + <list>null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305</list> + </completionHelp> + <valueHelp> + <format>null</format> + <description>Null encryption</description> + </valueHelp> + <valueHelp> + <format>aes128</format> + <description>128 bit AES-CBC (default)</description> + </valueHelp> + <valueHelp> + <format>aes192</format> + <description>192 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes256</format> + <description>256 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes128ctr</format> + <description>128 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes192ctr</format> + <description>192 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes256ctr</format> + <description>256 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes128ccm64</format> + <description>128 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm64</format> + <description>192 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm64</format> + <description>256 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm96</format> + <description>128 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm96</format> + <description>192 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm96</format> + <description>256 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm128</format> + <description>128 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm128</format> + <description>192 bit AES-CCM with 128 bit IC</description> + </valueHelp> + <valueHelp> + <format>aes256ccm128</format> + <description>256 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm64</format> + <description>128 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm64</format> + <description>192 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm64</format> + <description>256 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm96</format> + <description>128 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm96</format> + <description>192 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm96</format> + <description>256 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm128</format> + <description>128 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm128</format> + <description>192 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm128</format> + <description>256 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>Null encryption with 128 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>Null encryption with 192 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>Null encryption with 256 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>3des</format> + <description>168 bit 3DES-EDE-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish128</format> + <description>128 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish192</format> + <description>192 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish256</format> + <description>256 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128</format> + <description>128 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia192</format> + <description>192 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia256</format> + <description>256 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128ctr</format> + <description>128 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia192ctr</format> + <description>192 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia256ctr</format> + <description>256 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm64</format> + <description>128 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm64</format> + <description>192 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm64</format> + <description>256 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm96</format> + <description>128 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm96</format> + <description>192 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm96</format> + <description>256 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm128</format> + <description>128 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm128</format> + <description>192 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm128</format> + <description>256 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>serpent128</format> + <description>128 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent192</format> + <description>192 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent256</format> + <description>256 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish128</format> + <description>128 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish192</format> + <description>192 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish256</format> + <description>256 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>cast128</format> + <description>128 bit CAST-CBC</description> + </valueHelp> + <valueHelp> + <format>chacha20poly1305</format> + <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> + </valueHelp> + <constraint> + <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> + </constraint> + </properties> + </leafNode> +<!-- included end --> diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i new file mode 100644 index 000000000..ca5976d27 --- /dev/null +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -0,0 +1,65 @@ +<!-- included start from pn-ipsec-hash.xml.i --> + <leafNode name="hash"> + <properties> + <help>Hash algorithm</help> + <completionHelp> + <list>md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac</list> + </completionHelp> + <valueHelp> + <format>md5</format> + <description>MD5 HMAC</description> + </valueHelp> + <valueHelp> + <format>md5_128</format> + <description>MD5_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha1</format> + <description>SHA1 HMAC (default)</description> + </valueHelp> + <valueHelp> + <format>sha1_160</format> + <description>SHA1_160 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256</format> + <description>SHA2_256_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256_96</format> + <description>SHA2_256_96 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha384</format> + <description>SHA2_384_192 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha512</format> + <description>SHA2_512_256 HMAC</description> + </valueHelp> + <valueHelp> + <format>aesxcbc</format> + <description>AES XCBC</description> + </valueHelp> + <valueHelp> + <format>aescmac</format> + <description>AES CMAC</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>128-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>192-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>256-bit AES-GMAC</description> + </valueHelp> + <constraint> + <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> + </constraint> + </properties> + </leafNode> +<!-- included end --> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in new file mode 100644 index 000000000..93eb7e667 --- /dev/null +++ b/interface-definitions/vpn_ipsec.xml.in @@ -0,0 +1,1188 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="vpn"> + <children> + <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> + <properties> + <help>VPN IP security (IPsec) parameters</help> + </properties> + <children> + <leafNode name="auto-update"> + <properties> + <help>Set auto-update interval for IPsec daemon</help> + <valueHelp> + <format>30-65535</format> + <description>Auto-update interval (s)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 30-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="disable-uniqreqids"> + <properties> + <help>Option to disable requirement for unique IDs in the Security Database</help> + <valueless/> + </properties> + </leafNode> + <tagNode name="esp-group"> + <properties> + <help>Name of Encapsulating Security Payload (ESP) group</help> + </properties> + <children> + <leafNode name="compression"> + <properties> + <help>ESP compression</help> + <completionHelp> + <list>disable enable</list> + </completionHelp> + <valueHelp> + <format>disable</format> + <description>Disable ESP compression (default)</description> + </valueHelp> + <valueHelp> + <format>enable</format> + <description>Enable ESP compression</description> + </valueHelp> + <constraint> + <regex>^(disable|enable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="lifetime"> + <properties> + <help>ESP lifetime</help> + <valueHelp> + <format>30-86400</format> + <description>ESP lifetime in seconds (default 3600)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 30-86400"/> + </constraint> + </properties> + </leafNode> + <leafNode name="mode"> + <properties> + <help>ESP mode</help> + <completionHelp> + <list>tunnel transport</list> + </completionHelp> + <valueHelp> + <format>tunnel</format> + <description>Tunnel mode (default)</description> + </valueHelp> + <valueHelp> + <format>transport</format> + <description>Transport mode</description> + </valueHelp> + <constraint> + <regex>^(tunnel|transport)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="pfs"> + <properties> + <help>ESP Perfect Forward Secrecy</help> + <completionHelp> + <list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable PFS. Use ike-groups dh-group (default)</description> + </valueHelp> + <valueHelp> + <format>dh-group1</format> + <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description> + </valueHelp> + <valueHelp> + <format>dh-group2</format> + <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description> + </valueHelp> + <valueHelp> + <format>dh-group5</format> + <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description> + </valueHelp> + <valueHelp> + <format>dh-group14</format> + <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description> + </valueHelp> + <valueHelp> + <format>dh-group15</format> + <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description> + </valueHelp> + <valueHelp> + <format>dh-group16</format> + <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description> + </valueHelp> + <valueHelp> + <format>dh-group17</format> + <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description> + </valueHelp> + <valueHelp> + <format>dh-group18</format> + <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description> + </valueHelp> + <valueHelp> + <format>dh-group19</format> + <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description> + </valueHelp> + <valueHelp> + <format>dh-group20</format> + <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description> + </valueHelp> + <valueHelp> + <format>dh-group21</format> + <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description> + </valueHelp> + <valueHelp> + <format>dh-group22</format> + <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description> + </valueHelp> + <valueHelp> + <format>dh-group23</format> + <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description> + </valueHelp> + <valueHelp> + <format>dh-group24</format> + <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description> + </valueHelp> + <valueHelp> + <format>dh-group25</format> + <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description> + </valueHelp> + <valueHelp> + <format>dh-group26</format> + <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description> + </valueHelp> + <valueHelp> + <format>dh-group27</format> + <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description> + </valueHelp> + <valueHelp> + <format>dh-group28</format> + <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description> + </valueHelp> + <valueHelp> + <format>dh-group29</format> + <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description> + </valueHelp> + <valueHelp> + <format>dh-group30</format> + <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description> + </valueHelp> + <valueHelp> + <format>dh-group31</format> + <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description> + </valueHelp> + <valueHelp> + <format>dh-group32</format> + <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable PFS</description> + </valueHelp> + <constraint> + <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="proposal"> + <properties> + <help>ESP-group proposal [REQUIRED]</help> + <valueHelp> + <format><1-65535></format> + <description>ESP-group proposal number</description> + </valueHelp> + </properties> + <children> + #include <include/vpn-ipsec-encryption.xml.i> + #include <include/vpn-ipsec-hash.xml.i> + </children> + </tagNode> + </children> + </tagNode> + <tagNode name="ike-group"> + <properties> + <help>Name of Internet Key Exchange (IKE) group</help> + </properties> + <children> + <leafNode name="close-action"> + <properties> + <help>close-action_help</help> + <completionHelp> + <list>none hold clear restart</list> + </completionHelp> + <valueHelp> + <format>none</format> + <description>Set action to none (default)</description> + </valueHelp> + <valueHelp> + <format>hold</format> + <description>Set action to hold</description> + </valueHelp> + <valueHelp> + <format>clear</format> + <description>Set action to clear</description> + </valueHelp> + <valueHelp> + <format>restart</format> + <description>Set action to restart</description> + </valueHelp> + <constraint> + <regex>^(none|hold|clear|restart)$</regex> + </constraint> + </properties> + </leafNode> + <node name="dead-peer-detection"> + <properties> + <help>Dead Peer Detection (DPD)</help> + </properties> + <children> + <leafNode name="action"> + <properties> + <help>Keep-alive failure action</help> + <completionHelp> + <list>hold clear restart</list> + </completionHelp> + <valueHelp> + <format>hold</format> + <description>Set action to hold (default)</description> + </valueHelp> + <valueHelp> + <format>clear</format> + <description>Set action to clear</description> + </valueHelp> + <valueHelp> + <format>restart</format> + <description>Set action to restart</description> + </valueHelp> + <constraint> + <regex>^(hold|clear|restart)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="interval"> + <properties> + <help>Keep-alive interval</help> + <valueHelp> + <format><2-86400></format> + <description>Keep-alive interval in seconds (default 30)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 2-86400"/> + </constraint> + </properties> + </leafNode> + <leafNode name="timeout"> + <properties> + <help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help> + <valueHelp> + <format><2-86400></format> + <description>Keep-alive timeout in seconds (default 120)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 2-86400"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <leafNode name="ikev2-reauth"> + <properties> + <help>ikev2-reauth_help</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description> + </valueHelp> + <constraint> + <regex>^(yes|no)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="key-exchange"> + <properties> + <help>Key Exchange Version</help> + <completionHelp> + <list>ikev1 ikev2</list> + </completionHelp> + <valueHelp> + <format>ikev1</format> + <description>Use IKEv1 for Key Exchange [DEFAULT]</description> + </valueHelp> + <valueHelp> + <format>ikev2</format> + <description>Use IKEv2 for Key Exchange</description> + </valueHelp> + <constraint> + <regex>^(ikev1|ikev2)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="lifetime"> + <properties> + <help>IKE lifetime</help> + <valueHelp> + <format><30-86400></format> + <description>IKE lifetime in seconds (default 28800)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 30-86400"/> + </constraint> + </properties> + </leafNode> + <leafNode name="mobike"> + <properties> + <help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable MOBIKE (default for IKEv2)</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable MOBIKE</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="mode"> + <properties> + <help>IKEv1 Phase 1 Mode Selection</help> + <completionHelp> + <list>main aggressive</list> + </completionHelp> + <valueHelp> + <format>main</format> + <description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description> + </valueHelp> + <valueHelp> + <format>aggressive</format> + <description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description> + </valueHelp> + <constraint> + <regex>^(main|aggressive)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="proposal"> + <properties> + <help>proposal_help</help> + <valueHelp> + <format><1-65535></format> + <description>IKE-group proposal</description> + </valueHelp> + </properties> + <children> + <leafNode name="dh-group"> + <properties> + <help>dh-grouphelp</help> + <completionHelp> + <list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list> + </completionHelp> + <valueHelp> + <format>1</format> + <description>Diffie-Hellman group 1 (modp768)</description> + </valueHelp> + <valueHelp> + <format>2</format> + <description>Diffie-Hellman group 2 (modp1024)</description> + </valueHelp> + <valueHelp> + <format>5</format> + <description>Diffie-Hellman group 5 (modp1536)</description> + </valueHelp> + <valueHelp> + <format>14</format> + <description>Diffie-Hellman group 14 (modp2048)</description> + </valueHelp> + <valueHelp> + <format>15</format> + <description>Diffie-Hellman group 15 (modp3072)</description> + </valueHelp> + <valueHelp> + <format>16</format> + <description>Diffie-Hellman group 16 (modp4096)</description> + </valueHelp> + <valueHelp> + <format>17</format> + <description>Diffie-Hellman group 17 (modp6144)</description> + </valueHelp> + <valueHelp> + <format>18</format> + <description>Diffie-Hellman group 18 (modp8192)</description> + </valueHelp> + <valueHelp> + <format>19</format> + <description>Diffie-Hellman group 19 (ecp256)</description> + </valueHelp> + <valueHelp> + <format>20</format> + <description>Diffie-Hellman group 20 (ecp384)</description> + </valueHelp> + <valueHelp> + <format>21</format> + <description>Diffie-Hellman group 21 (ecp521)</description> + </valueHelp> + <valueHelp> + <format>22</format> + <description>Diffie-Hellman group 22 (modp1024s160)</description> + </valueHelp> + <valueHelp> + <format>23</format> + <description>Diffie-Hellman group 23 (modp2048s224)</description> + </valueHelp> + <valueHelp> + <format>24</format> + <description>Diffie-Hellman group 24 (modp2048s256)</description> + </valueHelp> + <valueHelp> + <format>25</format> + <description>Diffie-Hellman group 25 (ecp192)</description> + </valueHelp> + <valueHelp> + <format>26</format> + <description>Diffie-Hellman group 26 (ecp224)</description> + </valueHelp> + <valueHelp> + <format>27</format> + <description>Diffie-Hellman group 27 (ecp224bp)</description> + </valueHelp> + <valueHelp> + <format>28</format> + <description>Diffie-Hellman group 28 (ecp256bp)</description> + </valueHelp> + <valueHelp> + <format>29</format> + <description>Diffie-Hellman group 29 (ecp384bp)</description> + </valueHelp> + <valueHelp> + <format>30</format> + <description>Diffie-Hellman group 30 (ecp512bp)</description> + </valueHelp> + <valueHelp> + <format>31</format> + <description>Diffie-Hellman group 31 (curve25519)</description> + </valueHelp> + <valueHelp> + <format>32</format> + <description>Diffie-Hellman group 32 (curve448)</description> + </valueHelp> + <constraint> + <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> + </constraint> + </properties> + </leafNode> + #include <include/vpn-ipsec-encryption.xml.i> + #include <include/vpn-ipsec-hash.xml.i> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="include-ipsec-conf"> + <properties> + <help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help> + </properties> + </leafNode> + <leafNode name="include-ipsec-secrets"> + <properties> + <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help> + </properties> + </leafNode> + <node name="ipsec-interfaces"> + <properties> + <help>Interface to use for VPN [REQUIRED]</help> + </properties> + <children> + <leafNode name="interface"> + <properties> + <help>IPsec interface [REQUIRED]</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> + </properties> + </leafNode> + </children> + </node> + <node name="logging"> + <properties> + <help>IPsec logging</help> + </properties> + <children> + <leafNode name="log-level"> + <properties> + <help>strongSwan Logger Level</help> + <valueHelp> + <format><0-2></format> + <description>Logger Verbosity Level (default 0)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-2"/> + </constraint> + </properties> + </leafNode> + <leafNode name="log-modes"> + <properties> + <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help> + <completionHelp> + <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list> + </completionHelp> + <valueHelp> + <format>dmn</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>mgr</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>ike</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>chd</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>job</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>cfg</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>knl</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>net</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>asn</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>enc</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>lib</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>esp</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>tls</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>tnc</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>imc</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>imv</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>pts</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <valueHelp> + <format>any</format> + <description>Debug log option for strongSwan</description> + </valueHelp> + <constraint> + <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> + <node name="nat-networks"> + <properties> + <help>Network Address Translation (NAT) networks</help> + </properties> + <children> + <tagNode name="allowed-network"> + <properties> + <help>NAT networks to allow</help> + <valueHelp> + <format>ipv4net</format> + <description>NAT networks to allow</description> + </valueHelp> + <constraint> + <validator name="ip-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="exclude"> + <properties> + <help>NAT networks to exclude from allowed-networks</help> + <valueHelp> + <format>ipv4net</format> + <description>NAT networks to exclude from allowed-networks</description> + </valueHelp> + <constraint> + <validator name="ip-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <leafNode name="nat-traversal"> + <properties> + <help>Network Address Translation (NAT) traversal</help> + <completionHelp> + <list>disable enable</list> + </completionHelp> + <valueHelp> + <format>disable</format> + <description>Disable NAT-T</description> + </valueHelp> + <valueHelp> + <format>enable</format> + <description>Enable NAT-T</description> + </valueHelp> + <constraint> + <regex>^(disable|enable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="options"> + <properties> + <help>Global IPsec settings</help> + </properties> + <children> + <leafNode name="disable-route-autoinstall"> + <properties> + <help>Do not automatically install routes to remote networks</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <tagNode name="profile"> + <properties> + <help>VPN IPSec Profile</help> + </properties> + <children> + <node name="authentication"> + <properties> + <help>Authentication [REQUIRED]</help> + </properties> + <children> + <node name="mode"> + <properties> + <help>Authentication mode</help> + </properties> + <children> + <leafNode name="pre-shared-secret"> + <properties> + <help>Use pre-shared secret key</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="pre-shared-secret"> + <properties> + <help>Pre-shared secret key</help> + <valueHelp> + <format><text></format> + <description>Pre-shared secret key</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + <node name="bind"> + <properties> + <help>DMVPN crypto configuration</help> + </properties> + <children> + <leafNode name="bind_child"> + <properties> + <help>bind_child_help</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="esp-group"> + <properties> + <help>Esp group name [REQUIRED]</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ike-group"> + <properties> + <help>Ike group name [REQUIRED]</help> + <completionHelp> + <path>vpn ipsec ike-group</path> + </completionHelp> + </properties> + </leafNode> + </children> + </tagNode> + <node name="site-to-site"> + <properties> + <help>Site to site VPN</help> + </properties> + <children> + <tagNode name="peer"> + <properties> + <help>VPN peer</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of the peer</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of the peer</description> + </valueHelp> + <valueHelp> + <format><text></format> + <description>Hostname of the peer</description> + </valueHelp> + <valueHelp> + <format><@text></format> + <description>ID of the peer</description> + </valueHelp> + </properties> + <children> + <node name="authentication"> + <properties> + <help>Peer authentication [REQUIRED]</help> + </properties> + <children> + <leafNode name="id"> + <properties> + <help>ID for peer authentication</help> + <valueHelp> + <format><text></format> + <description>ID used for peer authentication</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="mode"> + <properties> + <help>Authentication mode</help> + <completionHelp> + <list>pre-shared-secret rsa x509</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>pre-shared-secret_description</description> + </valueHelp> + <valueHelp> + <format>rsa</format> + <description>rsa_description</description> + </valueHelp> + <valueHelp> + <format>x509</format> + <description>x509_description</description> + </valueHelp> + <constraint> + <regex>^(pre-shared-secret|rsa|x509)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="pre-shared-secret"> + <properties> + <help>Pre-shared secret key</help> + <valueHelp> + <format><text></format> + <description>Pre-shared secret key</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="remote-id"> + <properties> + <help>ID for remote authentication</help> + <valueHelp> + <format><text></format> + <description>ID used for peer authentication</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="rsa-key-name"> + <properties> + <help>RSA key name</help> + </properties> + </leafNode> + <leafNode name="use-x509-id"> + <properties> + <help>Use certificate common name as ID</help> + <valueless/> + </properties> + </leafNode> + <node name="x509"> + <properties> + <help>X.509 certificate</help> + </properties> + <children> + <leafNode name="ca-cert-file"> + <properties> + <help>File containing the X.509 certificate for the Certificate Authority (CA)</help> + <valueHelp> + <format><text></format> + <description>File in /config/auth</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="cert-file"> + <properties> + <help>File containing the X.509 certificate for this host</help> + <valueHelp> + <format><text></format> + <description>File in /config/auth</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="crl-file"> + <properties> + <help>File containing the X.509 Certificate Revocation List (CRL)</help> + <valueHelp> + <format><text></format> + <description>File in /config/auth</description> + </valueHelp> + </properties> + </leafNode> + <node name="key"> + <properties> + <help>Key file and password to open it</help> + </properties> + <children> + <leafNode name="file"> + <properties> + <help>File containing the private key for the X.509 certificate for this host</help> + <valueHelp> + <format><text></format> + <description>File in /config/auth</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="password"> + <properties> + <help>Password that protects the private key</help> + <valueHelp> + <format><text></format> + <description>Password that protects the private key</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> + <leafNode name="connection-type"> + <properties> + <help>Connection type</help> + <completionHelp> + <list>initiate respond</list> + </completionHelp> + <valueHelp> + <format>initiate</format> + <description>initiate_description</description> + </valueHelp> + <valueHelp> + <format>respond</format> + <description>respond_description</description> + </valueHelp> + <constraint> + <regex>^(initiate|respond)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="default-esp-group"> + <properties> + <help>Defult ESP group name</help> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>VPN peer description</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="dhcp-interface"> + <properties> + <help>DHCP interface to listen on</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="force-encapsulation"> + <properties> + <help>Force UDP Encapsulation for ESP Payloads</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>This endpoint will force UDP encapsulation for this peer</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>This endpoint will not force UDP encapsulation for this peer</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="ike-group"> + <properties> + <help>Internet Key Exchange (IKE) group name [REQUIRED]</help> + <completionHelp> + <path>vpn ipsec ike-group</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ikev2-reauth"> + <properties> + <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> + <completionHelp> + <list>yes no inherit</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable remote host re-authenticaton during an IKE re-key.</description> + </valueHelp> + <valueHelp> + <format>inherit</format> + <description>Inherit the reauth configuration form your IKE-group (Default)</description> + </valueHelp> + <constraint> + <regex>^(yes|no|inherit)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="local-address"> + <properties> + <help>IPv4 or IPv6 address of a local interface to use for VPN</help> + <completionHelp> + <list>any</list> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>any</format> + <description>Allow any IPv4 address present on the system to be used for VPN</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <regex>^(any)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="tunnel"> + <properties> + <help>Peer tunnel [REQUIRED]</help> + <valueHelp> + <format><0-4294967295></format> + <description>Peer tunnel [REQUIRED]</description> + </valueHelp> + </properties> + <children> + <leafNode name="allow-nat-networks"> + <properties> + <help>Option to allow NAT networks</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable NAT networks</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable NAT networks (default)</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="allow-public-networks"> + <properties> + <help>Option to allow public networks</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable public networks</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable public networks (default)</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="disable"> + <properties> + <help>Option to disable vpn tunnel</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="esp-group"> + <properties> + <help>ESP group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> + </leafNode> + <node name="local"> + <properties> + <help>Local parameters for interesting traffic</help> + </properties> + <children> + <leafNode name="port"> + <properties> + <help>Any TCP or UDP port</help> + <valueHelp> + <format><port name></format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format><1-65535></format> + <description>Numbered port</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Local IPv4 or IPv6 prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <leafNode name="protocol"> + <properties> + <help>Protocol to encrypt</help> + <valueless/> + </properties> + </leafNode> + <node name="remote"> + <properties> + <help>Remote parameters for interesting traffic</help> + </properties> + <children> + <leafNode name="port"> + <properties> + <help>Any TCP or UDP port</help> + <valueHelp> + <format><port name></format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format><1-65535></format> + <description>Numbered port</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Remote IPv4 or IPv6 prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Remote IPv4 prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Remote IPv6 prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + <node name="vti"> + <properties> + <help>Virtual tunnel interface [REQUIRED]</help> + </properties> + <children> + <leafNode name="bind"> + <properties> + <help>VTI tunnel interface associated with this configuration [REQUIRED]</help> + </properties> + </leafNode> + <leafNode name="esp-group"> + <properties> + <help>ESP group name [REQUIRED]</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py new file mode 100755 index 000000000..969266c30 --- /dev/null +++ b/src/conf_mode/vpn_ipsec.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos.util import call +from vyos.util import dict_search +from vyos import ConfigError +from vyos import airbag +from pprint import pprint +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['vpn', 'nipsec'] + if not conf.exists(base): + return None + + # retrieve common dictionary keys + ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return ipsec + +def verify(ipsec): + if not ipsec: + return None + +def generate(ipsec): + if not ipsec: + return None + + return ipsec + +def apply(ipsec): + if not ipsec: + return None + + pprint(ipsec) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) |