summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/ipsec/swanctl/peer.j26
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j23
-rw-r--r--interface-definitions/include/ipsec/replay-window.xml.i19
-rw-r--r--interface-definitions/vpn_ipsec.xml.in2
-rw-r--r--python/vyos/config.py2
-rwxr-xr-xsmoketest/scripts/cli/test_service_https.py2
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py23
-rwxr-xr-xsrc/init/vyos-router2
8 files changed, 48 insertions, 11 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index c5841fb91..58f0199fa 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -86,6 +86,9 @@
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
close_action = {{ ike.close_action }}
+{% if peer_conf.replay_window is vyos_defined %}
+ replay_window = {{ peer_conf.replay_window }}
+{% endif %}
}
{% elif peer_conf.tunnel is vyos_defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -136,6 +139,9 @@
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
close_action = {{ ike.close_action }}
+{% if peer_conf.replay_window is vyos_defined %}
+ replay_window = {{ peer_conf.replay_window }}
+{% endif %}
{% if peer_conf.vti.bind is vyos_defined %}
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 01dc8a4a7..bce8684fe 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -43,6 +43,9 @@
rand_time = 540s
dpd_action = clear
inactivity = {{ rw_conf.timeout }}
+{% if rw_conf.replay_window is vyos_defined %}
+ replay_window = {{ rw_conf.replay_window }}
+{% endif %}
{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
diff --git a/interface-definitions/include/ipsec/replay-window.xml.i b/interface-definitions/include/ipsec/replay-window.xml.i
new file mode 100644
index 000000000..f35ed550a
--- /dev/null
+++ b/interface-definitions/include/ipsec/replay-window.xml.i
@@ -0,0 +1,19 @@
+<!-- include start from ipsec/replay-window.xml.i -->
+<leafNode name="replay-window">
+ <properties>
+ <help>IPsec replay window to configure for this CHILD_SA</help>
+ <valueHelp>
+ <format>u32:0</format>
+ <description>Disable IPsec replay protection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1-2040</format>
+ <description>Replay window size in packets</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-2040"/>
+ </constraint>
+ </properties>
+ <defaultValue>32</defaultValue>
+ </leafNode>
+ <!-- include end -->
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 9d1d5d824..44ca1c7a0 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -826,6 +826,7 @@
#include <include/ipsec/ike-group.xml.i>
#include <include/ipsec/local-address.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
+ #include <include/ipsec/replay-window.xml.i>
<leafNode name="timeout">
<properties>
<help>Timeout to close connection if no data is transmitted</help>
@@ -1100,6 +1101,7 @@
</leafNode>
#include <include/ipsec/local-address.xml.i>
#include <include/ipsec/remote-address.xml.i>
+ #include <include/ipsec/replay-window.xml.i>
<tagNode name="tunnel">
<properties>
<help>Peer tunnel</help>
diff --git a/python/vyos/config.py b/python/vyos/config.py
index bee85315d..7619ad367 100644
--- a/python/vyos/config.py
+++ b/python/vyos/config.py
@@ -343,7 +343,7 @@ class Config(object):
pki_dict['certificate'][certificate] = config_dict_mangle_acme(
certificate, pki_dict['certificate'][certificate])
- conf_dict['pki'] = pki_dict
+ conf_dict['pki'] = pki_dict
# save optional args for a call to get_config_defaults
setattr(conf_dict, '_dict_kwargs', kwargs)
diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
index 8d9b8459e..94eade2d7 100755
--- a/smoketest/scripts/cli/test_service_https.py
+++ b/smoketest/scripts/cli/test_service_https.py
@@ -19,6 +19,7 @@ import json
from requests import request
from urllib3.exceptions import InsecureRequestWarning
+from time import sleep
from base_vyostest_shim import VyOSUnitTestSHIM
from base_vyostest_shim import ignore_warning
@@ -305,6 +306,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
self.cli_commit()
+ sleep(2)
r = request('POST', url, verify=False, headers=headers, data=payload)
# api configured; expect 200
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index f5369ee7a..09e10a2c4 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -155,7 +155,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def tearDownPKI(self):
self.cli_delete(['pki'])
- def test_01_dhcp_fail_handling(self):
+ def test_dhcp_fail_handling(self):
# Skip process check - connection is not created for this test
self.skip_process_check = True
@@ -185,7 +185,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_delete(ethernet_path + [interface, 'vif', vif, 'address'])
- def test_02_site_to_site(self):
+ def test_site_to_site(self):
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
local_address = '192.0.2.10'
@@ -248,6 +248,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'remote_ts = 10.2.0.0/16',
f'priority = {priority}',
f'mode = tunnel',
+ f'replay_window = 32',
]
for line in swanctl_conf_lines:
self.assertIn(line, swanctl_conf)
@@ -263,7 +264,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertRegex(swanctl_conf, fr'{line}')
- def test_03_site_to_site_vti(self):
+ def test_site_to_site_vti(self):
local_address = '192.0.2.10'
vti = 'vti10'
# IKE
@@ -317,6 +318,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'remote_ts = 172.17.10.0/24,172.17.11.0/24',
f'ipcomp = yes',
f'start_action = none',
+ f'replay_window = 32',
f'if_id_in = {if_id}', # will be 11 for vti10 - shifted by one
f'if_id_out = {if_id}',
f'updown = "/etc/ipsec.d/vti-up-down {vti}"'
@@ -333,7 +335,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertRegex(swanctl_conf, fr'{line}')
- def test_04_dmvpn(self):
+ def test_dmvpn(self):
tunnel_if = 'tun100'
nhrp_secret = 'secret'
ike_lifetime = '3600'
@@ -396,7 +398,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
# There is only one NHRP test so no need to delete this globally in tearDown()
self.cli_delete(nhrp_path)
- def test_05_x509_site2site(self):
+ def test_site_to_site_x509(self):
# Enable PKI
self.setupPKI()
@@ -474,7 +476,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.tearDownPKI()
- def test_06_flex_vpn_vips(self):
+ def test_flex_vpn_vips(self):
local_address = '192.0.2.5'
local_id = 'vyos-r1'
remote_id = 'vyos-r2'
@@ -549,7 +551,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertIn(line, charon_conf)
- def test_07_ikev2_road_warrior(self):
+ def test_remote_access(self):
# This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
self.setupPKI()
@@ -640,6 +642,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
f'rekey_time = {eap_lifetime}s',
f'rand_time = 540s',
f'dpd_action = clear',
+ f'replay_window = 32',
f'inactivity = 28800',
f'local_ts = 0.0.0.0/0,::/0',
]
@@ -668,7 +671,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.tearDownPKI()
- def test_08_ikev2_road_warrior_client_auth_eap_tls(self):
+ def test_remote_access_eap_tls(self):
# This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
self.setupPKI()
@@ -780,7 +783,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.tearDownPKI()
- def test_09_ikev2_road_warrior_client_auth_x509(self):
+ def test_remote_access_x509(self):
# This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
self.setupPKI()
diff --git a/src/init/vyos-router b/src/init/vyos-router
index aaecbf2a1..ac1cf249e 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -448,12 +448,14 @@ start ()
restore_if_missing_postconfig_script
run_postconfig_scripts
+ vtysh -c "rpki start"
}
stop()
{
local -i status=0
log_daemon_msg "Stopping VyOS router"
+ vtysh -c "rpki stop"
for ((i=${#sub_inits[@]} - 1; i >= 0; i--)) ; do
s=${subinit[$i]}
log_progress_msg $s