diff options
-rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 6 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 3 | ||||
-rw-r--r-- | interface-definitions/include/ipsec/replay-window.xml.i | 19 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 2 | ||||
-rw-r--r-- | python/vyos/config.py | 2 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_service_https.py | 2 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 23 | ||||
-rwxr-xr-x | src/init/vyos-router | 2 |
8 files changed, 48 insertions, 11 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index c5841fb91..58f0199fa 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -86,6 +86,9 @@ dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} } {% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -136,6 +139,9 @@ dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} {% if peer_conf.vti.bind is vyos_defined %} {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index 01dc8a4a7..bce8684fe 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -43,6 +43,9 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} +{% if rw_conf.replay_window is vyos_defined %} + replay_window = {{ rw_conf.replay_window }} +{% endif %} {% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} {% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} diff --git a/interface-definitions/include/ipsec/replay-window.xml.i b/interface-definitions/include/ipsec/replay-window.xml.i new file mode 100644 index 000000000..f35ed550a --- /dev/null +++ b/interface-definitions/include/ipsec/replay-window.xml.i @@ -0,0 +1,19 @@ +<!-- include start from ipsec/replay-window.xml.i --> +<leafNode name="replay-window"> + <properties> + <help>IPsec replay window to configure for this CHILD_SA</help> + <valueHelp> + <format>u32:0</format> + <description>Disable IPsec replay protection</description> + </valueHelp> + <valueHelp> + <format>u32:1-2040</format> + <description>Replay window size in packets</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-2040"/> + </constraint> + </properties> + <defaultValue>32</defaultValue> + </leafNode> + <!-- include end --> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 9d1d5d824..44ca1c7a0 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -826,6 +826,7 @@ #include <include/ipsec/ike-group.xml.i> #include <include/ipsec/local-address.xml.i> #include <include/ipsec/local-traffic-selector.xml.i> + #include <include/ipsec/replay-window.xml.i> <leafNode name="timeout"> <properties> <help>Timeout to close connection if no data is transmitted</help> @@ -1100,6 +1101,7 @@ </leafNode> #include <include/ipsec/local-address.xml.i> #include <include/ipsec/remote-address.xml.i> + #include <include/ipsec/replay-window.xml.i> <tagNode name="tunnel"> <properties> <help>Peer tunnel</help> diff --git a/python/vyos/config.py b/python/vyos/config.py index bee85315d..7619ad367 100644 --- a/python/vyos/config.py +++ b/python/vyos/config.py @@ -343,7 +343,7 @@ class Config(object): pki_dict['certificate'][certificate] = config_dict_mangle_acme( certificate, pki_dict['certificate'][certificate]) - conf_dict['pki'] = pki_dict + conf_dict['pki'] = pki_dict # save optional args for a call to get_config_defaults setattr(conf_dict, '_dict_kwargs', kwargs) diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py index 8d9b8459e..94eade2d7 100755 --- a/smoketest/scripts/cli/test_service_https.py +++ b/smoketest/scripts/cli/test_service_https.py @@ -19,6 +19,7 @@ import json from requests import request from urllib3.exceptions import InsecureRequestWarning +from time import sleep from base_vyostest_shim import VyOSUnitTestSHIM from base_vyostest_shim import ignore_warning @@ -305,6 +306,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key]) self.cli_commit() + sleep(2) r = request('POST', url, verify=False, headers=headers, data=payload) # api configured; expect 200 diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index f5369ee7a..09e10a2c4 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2023 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -155,7 +155,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): def tearDownPKI(self): self.cli_delete(['pki']) - def test_01_dhcp_fail_handling(self): + def test_dhcp_fail_handling(self): # Skip process check - connection is not created for this test self.skip_process_check = True @@ -185,7 +185,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_delete(ethernet_path + [interface, 'vif', vif, 'address']) - def test_02_site_to_site(self): + def test_site_to_site(self): self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) local_address = '192.0.2.10' @@ -248,6 +248,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'remote_ts = 10.2.0.0/16', f'priority = {priority}', f'mode = tunnel', + f'replay_window = 32', ] for line in swanctl_conf_lines: self.assertIn(line, swanctl_conf) @@ -263,7 +264,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertRegex(swanctl_conf, fr'{line}') - def test_03_site_to_site_vti(self): + def test_site_to_site_vti(self): local_address = '192.0.2.10' vti = 'vti10' # IKE @@ -317,6 +318,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'remote_ts = 172.17.10.0/24,172.17.11.0/24', f'ipcomp = yes', f'start_action = none', + f'replay_window = 32', f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one f'if_id_out = {if_id}', f'updown = "/etc/ipsec.d/vti-up-down {vti}"' @@ -333,7 +335,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertRegex(swanctl_conf, fr'{line}') - def test_04_dmvpn(self): + def test_dmvpn(self): tunnel_if = 'tun100' nhrp_secret = 'secret' ike_lifetime = '3600' @@ -396,7 +398,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): # There is only one NHRP test so no need to delete this globally in tearDown() self.cli_delete(nhrp_path) - def test_05_x509_site2site(self): + def test_site_to_site_x509(self): # Enable PKI self.setupPKI() @@ -474,7 +476,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.tearDownPKI() - def test_06_flex_vpn_vips(self): + def test_flex_vpn_vips(self): local_address = '192.0.2.5' local_id = 'vyos-r1' remote_id = 'vyos-r2' @@ -549,7 +551,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertIn(line, charon_conf) - def test_07_ikev2_road_warrior(self): + def test_remote_access(self): # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17 self.setupPKI() @@ -640,6 +642,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'rekey_time = {eap_lifetime}s', f'rand_time = 540s', f'dpd_action = clear', + f'replay_window = 32', f'inactivity = 28800', f'local_ts = 0.0.0.0/0,::/0', ] @@ -668,7 +671,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.tearDownPKI() - def test_08_ikev2_road_warrior_client_auth_eap_tls(self): + def test_remote_access_eap_tls(self): # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17 self.setupPKI() @@ -780,7 +783,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.tearDownPKI() - def test_09_ikev2_road_warrior_client_auth_x509(self): + def test_remote_access_x509(self): # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17 self.setupPKI() diff --git a/src/init/vyos-router b/src/init/vyos-router index aaecbf2a1..ac1cf249e 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -448,12 +448,14 @@ start () restore_if_missing_postconfig_script run_postconfig_scripts + vtysh -c "rpki start" } stop() { local -i status=0 log_daemon_msg "Stopping VyOS router" + vtysh -c "rpki stop" for ((i=${#sub_inits[@]} - 1; i >= 0; i--)) ; do s=${subinit[$i]} log_progress_msg $s |