summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/ipsec/ipsec.conf.tmpl9
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl110
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl156
-rw-r--r--data/templates/ipsec/swanctl/profile.tmpl35
-rw-r--r--debian/control11
-rw-r--r--interface-definitions/firewall.xml.in18
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i2
-rw-r--r--interface-definitions/include/firewall/description.xml.i11
-rw-r--r--interface-definitions/include/generic-description.xml.i (renamed from interface-definitions/include/policy/description.xml.i)2
-rw-r--r--interface-definitions/include/ipsec/authentication-id.xml.i11
-rw-r--r--interface-definitions/include/ipsec/authentication-x509.xml.i11
-rw-r--r--interface-definitions/include/ipsec/esp-group.xml.i10
-rw-r--r--interface-definitions/include/ipsec/ike-group.xml.i10
-rw-r--r--interface-definitions/policy.xml.in36
-rw-r--r--interface-definitions/vpn_ipsec.xml.in181
-rw-r--r--python/vyos/template.py46
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py5
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py205
-rwxr-xr-xsrc/migration-scripts/ipsec/5-to-614
-rw-r--r--src/tests/test_template.py60
20 files changed, 509 insertions, 434 deletions
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl
index 6550ea419..a9ea1aac7 100644
--- a/data/templates/ipsec/ipsec.conf.tmpl
+++ b/data/templates/ipsec/ipsec.conf.tmpl
@@ -1,6 +1,15 @@
# Created by VyOS - manual changes will be overwritten
config setup
+{% set charondebug = '' %}
+{% if log is defined and log.subsystem is defined and log.subsystem is not none %}
+{% set subsystem = log.subsystem %}
+{% if 'any' in log.subsystem %}
+{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn',
+ 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %}
+{% endif %}
+{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %}
+{% endif %}
charondebug = "{{ charondebug }}"
uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }}
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 0ff08ee15..06fd8e8c2 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,72 +1,86 @@
-# Created by VyOS - manual changes will be overwritten
-
+### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% if profile is defined or site_to_site is defined %}
connections {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{% endfor %}
-{% endif %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if remote_access is defined and remote_access is not none %}
+{% set ike = ike_group[peer_conf.ike_group] %}
+ road_warrior {
+ proposals = {{ ike | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+ local_addrs = 192.168.0.1
+ local {
+ auth = eap-peap
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-peap
+ }
+ send_certreq = no
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }}
+ }
+ }
+ }
+{% endif %}
}
secrets {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
-{% for interface in profile_conf.bind.tunnel %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
+{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
-{% endfor %}
-{% endif %}
{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% set ns = namespace(local_key_set=False) %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
- ike_{{ peer_conn_name }} {
-{% if peer_conf.local_address is defined %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% set ns = namespace(local_key_set=False) %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{% set peer_name = peer.replace(".", "-").replace("@", "") %}
+{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
+ ike_{{ peer_name }} {
+{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% endif %}
+{% endif %}
id-remote = {{ peer }}
-{% if peer_conf.authentication.id is defined %}
+{% if peer_conf.authentication.id is defined %}
id-localid = {{ peer_conf.authentication.id }}
-{% endif %}
-{% if peer_conf.authentication.remote_id is defined %}
+{% endif %}
+{% if peer_conf.authentication.remote_id is defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
-{% endif %}
+{% endif %}
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
-{% elif peer_conf.authentication.mode == 'x509' %}
- private_{{ peer_conn_name }} {
+{% elif peer_conf.authentication.mode == 'x509' %}
+ private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
-{% if peer_conf.authentication.x509.passphrase is defined %}
+{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
-{% endif %}
+{% endif %}
}
-{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %}
-{% set ns.local_key_set = True %}
+{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %}
+{% set ns.local_key_set = True %}
rsa_local {
file = {{ rsa_local_key }}
}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
-{% endif %}
+
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index c97ac1f67..4ace06701 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -1,136 +1,134 @@
-{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %}
+{% macro conn(peer, peer_conf, ike_group, esp_group) %}
+{% set name = peer.replace(".", "-").replace("@", "") %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
- proposals = {{ ciphers.ike[peer_conf.ike_group] }}
- version = {{ ike['key_exchange'][4:] if "key_exchange" in ike else "0" }}
+ proposals = {{ ike | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
-{% if peer_conf.authentication.mode == 'x509' %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
send_cert = always
-{% endif %}
-{% if "dead_peer_detection" in ike %}
+{% endif %}
+{% if ike.dead_peer_detection is defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
-{% endif %}
-{% if "key_exchange" in ike and ike.key_exchange == "ikev1" and "mode" in ike and ike.mode == "aggressive" %}
+{% endif %}
+{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
aggressive = yes
-{% endif %}
- mobike = {{ "yes" if "mobike" not in ike or ike.mobike == "enable" else "no" }}
-{% if peer[0:1] == '@' %}
+{% endif %}
+ mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
+{% if peer[0:1] == '@' %}
keyingtries = 0
rekey_time = 0
reauth_time = 0
-{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
+{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
-{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
+{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
keyingtries = 1
-{% endif %}
-{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
+{% endif %}
+{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
encap = yes
-{% endif %}
+{% endif %}
local {
-{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
-{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
-{% if peer_conf.authentication.mode == 'x509' %}
+{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
+{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
-{% elif peer_conf.authentication.mode == 'rsa' %}
+{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = localhost.pub
-{% endif %}
+{% endif %}
}
remote {
-{% if peer_conf.authentication.remote_id is defined %}
+{% if peer_conf.authentication.remote_id is defined %}
id = "{{ peer_conf.authentication.remote_id }}"
-{% elif peer[0:1] == '@' %}
+{% elif peer[0:1] == '@' %}
id = "{{ peer }}"
-{% endif %}
-{% if auth_type %}
- auth = {{ auth_type }}
-{% endif %}
-{% if peer_conf.authentication.mode == 'rsa' %}
+{% endif %}
+ auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
+{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub
-{% endif %}
+{% endif %}
}
children {
-{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
-{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
+{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
+{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
peer_{{ name }}_vti {
- esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }}
+ esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
- ipcomp = {{ 'yes' if "compression" in vti_esp and vti_esp.compression == 'enable' else 'no' }}
- mode = {{ vti_esp.mode if "mode" in vti_esp else "tunnel" }}
-{% if peer[0:1] == '@' %}
+ ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
+ mode = {{ vti_esp.mode }}
+{% if peer[0:1] == '@' %}
start_action = none
-{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
+{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
-{% elif peer_conf.connection_type == 'respond' %}
+{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
-{% endif %}
-{% if "dead_peer_detection" in ike %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
+{% endif %}
+{% if ike.dead_peer_detection is defined %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
-{% endif %}
+{% endif %}
}
-{% endif %}
-{% if peer_conf.tunnel is defined %}
-{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
-{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %}
-{% set tunnel_esp = esp_group[tunnel_esp_name] %}
-{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '' %}
-{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
-{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
-{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
-{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
+{% elif peer_conf.tunnel is defined %}
+{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
+{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
+{% set tunnel_esp = esp_group[tunnel_esp_name] %}
+{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %}
+{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
+{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
+{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
+{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
- esp_proposals = {{ ciphers.esp[tunnel_esp_name] }}
-{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
-{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
-{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
+ esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }}
+{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
+{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
+{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
-{% endif %}
-{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
-{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
+{% endif %}
+{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
+{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
-{% endif %}
-{% elif tunnel_esp.mode == 'transport' %}
+{% endif %}
+{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
-{% endif %}
- ipcomp = {{ 'yes' if "compression" in tunnel_esp and tunnel_esp.compression == 'enable' else 'no' }}
- mode = {{ tunnel_esp.mode if "mode" in tunnel_esp else "tunnel" }}
-{% if peer[0:1] == '@' %}
+{% endif %}
+ ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }}
+ mode = {{ tunnel_esp.mode }}
+{% if peer[0:1] == '@' %}
start_action = none
-{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
+{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
-{% elif peer_conf.connection_type == 'respond' %}
+{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
-{% endif %}
-{% if "dead_peer_detection" in ike %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
+{% endif %}
+{% if ike.dead_peer_detection is defined %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
-{% endif %}
-{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
+{% endif %}
+{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
-{% endif %}
+{% endif %}
}
-{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
+{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
}
{% endmacro %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index e4b36b99f..0a7268405 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -1,34 +1,39 @@
-{% macro conn(name, profile_conf, ike, esp, ciphers) %}
-{% for interface in profile_conf.bind.tunnel %}
+{% macro conn(name, profile_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[profile_conf.ike_group] %}
+{% set esp = esp_group[profile_conf.esp_group] %}
+{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{% for interface in profile_conf.bind.tunnel %}
dmvpn-{{ name }}-{{ interface }} {
- proposals = {{ ciphers.ike[profile_conf.ike_group] }}
- version = {{ ike.key_exchange[4:] if "key_exchange" in ike else "0" }}
- rekey_time = {{ ike.lifetime if 'lifetime' in ike else '28800' }}s
+ proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+ rekey_time = {{ ike.lifetime }}s
keyingtries = 0
-{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
+{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
local {
auth = psk
}
remote {
auth = psk
}
-{% endif %}
+{% endif %}
children {
dmvpn {
- esp_proposals = {{ ciphers.esp[profile_conf.esp_group] }}
- rekey_time = {{ esp.lifetime if 'lifetime' in esp else '3600' }}s
+ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ rekey_time = {{ esp.lifetime }}s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
- mode = {{ esp.mode if "mode" in esp else "transport" }}
-{% if 'dead_peer_detection' in ike and 'action' in ike.dead_peer_detection %}
+ mode = {{ esp.mode }}
+{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
-{% endif %}
-{% if 'compression' in esp and esp['compression'] == 'enable' %}
+{% endif %}
+{% if esp.compression is defined and esp.compression == 'enable' %}
ipcomp = yes
-{% endif %}
+{% endif %}
}
}
}
-{% endfor %}
+{% endfor %}
+{% endif %}
{% endmacro %}
diff --git a/debian/control b/debian/control
index ddccc9e14..aed1a3b2d 100644
--- a/debian/control
+++ b/debian/control
@@ -72,14 +72,15 @@ Depends:
keepalived (>=2.0.5),
lcdproc,
libatomic1,
- libcharon-extra-plugins (>=5.8),
+ libcharon-extra-plugins (>=5.9),
+ libcharon-extauth-plugins (>=5.9),
libndp-tools,
libnetfilter-conntrack3,
libnfnetlink0,
libpam-radius-auth (>= 1.5.0),
libqmi-utils,
- libstrongswan-extra-plugins (>=5.8),
- libstrongswan-standard-plugins (>=5.8),
+ libstrongswan-extra-plugins (>=5.9),
+ libstrongswan-standard-plugins (>=5.9),
libvyosconfig0,
lldpd,
lm-sensors,
@@ -142,8 +143,8 @@ Depends:
squidclient,
squidguard,
ssl-cert,
- strongswan (>= 5.8),
- strongswan-swanctl (>= 5.8),
+ strongswan (>= 5.9),
+ strongswan-swanctl (>= 5.9),
sudo,
systemd,
tcpdump,
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 5528d6bc5..f07c619a8 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -91,7 +91,7 @@
<multi/>
</properties>
</leafNode>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="ipv6-address-group">
@@ -112,7 +112,7 @@
<multi/>
</properties>
</leafNode>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="ipv6-network-group">
@@ -120,7 +120,7 @@
<help>Network-group member</help>
</properties>
<children>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="network">
<properties>
<help>Network-group member</help>
@@ -141,7 +141,7 @@
<help>Firewall network-group</help>
</properties>
<children>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="network">
<properties>
<help>Network-group member</help>
@@ -162,7 +162,7 @@
<help>Firewall port-group</help>
</properties>
<children>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="port">
<properties>
<help>Port-group member</help>
@@ -210,15 +210,15 @@
</properties>
<children>
#include <include/firewall/name-default-action.xml.i>
- #include <include/firewall/description.xml.i>
#include <include/firewall/name-default-log.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule number (1-9999)</help>
</properties>
<children>
#include <include/firewall/action.xml.i>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -578,15 +578,15 @@
</properties>
<children>
#include <include/firewall/name-default-action.xml.i>
- #include <include/firewall/description.xml.i>
#include <include/firewall/name-default-log.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule number (1-9999)</help>
</properties>
<children>
#include <include/firewall/action.xml.i>
- #include <include/firewall/description.xml.i>
+ #include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 466599e0a..1ee8da73d 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -1,6 +1,6 @@
<!-- include start from firewall/common-rule.xml.i -->
#include <include/firewall/action.xml.i>
-#include <include/firewall/description.xml.i>
+#include <include/generic-description.xml.i>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
diff --git a/interface-definitions/include/firewall/description.xml.i b/interface-definitions/include/firewall/description.xml.i
deleted file mode 100644
index b6bae406b..000000000
--- a/interface-definitions/include/firewall/description.xml.i
+++ /dev/null
@@ -1,11 +0,0 @@
-<!-- include start from firewall/description.xml.i -->
-<leafNode name="description">
- <properties>
- <help>Description</help>
- <valueHelp>
- <format>txt</format>
- <description>Description</description>
- </valueHelp>
- </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/policy/description.xml.i b/interface-definitions/include/generic-description.xml.i
index e2ff35d02..03fc564e6 100644
--- a/interface-definitions/include/policy/description.xml.i
+++ b/interface-definitions/include/generic-description.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from policy/description.xml.i -->
+<!-- include start from generic-description.xml.i -->
<leafNode name="description">
<properties>
<help>Description</help>
diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i
new file mode 100644
index 000000000..4967782ec
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-id.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-id.xml.i -->
+<leafNode name="id">
+ <properties>
+ <help>ID for peer authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ID used for peer authentication</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/ipsec/authentication-x509.xml.i b/interface-definitions/include/ipsec/authentication-x509.xml.i
new file mode 100644
index 000000000..db675c0bf
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-x509.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-x509.xml.i -->
+<node name="x509">
+ <properties>
+ <help>X.509 certificate</help>
+ </properties>
+ <children>
+ #include <include/pki/certificate-key.xml.i>
+ #include <include/pki/ca-certificate.xml.i>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/ipsec/esp-group.xml.i b/interface-definitions/include/ipsec/esp-group.xml.i
new file mode 100644
index 000000000..5e5d8197b
--- /dev/null
+++ b/interface-definitions/include/ipsec/esp-group.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from ipsec/esp-group.xml.i -->
+<leafNode name="esp-group">
+ <properties>
+ <help>Encapsulating Security Payloads (ESP) group name</help>
+ <completionHelp>
+ <path>vpn ipsec esp-group</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/ipsec/ike-group.xml.i b/interface-definitions/include/ipsec/ike-group.xml.i
new file mode 100644
index 000000000..f7649ed30
--- /dev/null
+++ b/interface-definitions/include/ipsec/ike-group.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from ipsec/ike-group.xml.i -->
+<leafNode name="ike-group">
+ <properties>
+ <help>Internet Key Exchange (IKE) group name</help>
+ <completionHelp>
+ <path>vpn ipsec ike-group</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in
index 6a002cc20..5a3c58fa8 100644
--- a/interface-definitions/policy.xml.in
+++ b/interface-definitions/policy.xml.in
@@ -27,7 +27,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this access-list</help>
@@ -41,7 +41,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination network or address</help>
@@ -87,7 +87,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this access-list6</help>
@@ -101,7 +101,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<node name="source">
<properties>
<help>Source IPv6 network to match</help>
@@ -146,7 +146,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this as-path-list</help>
@@ -160,7 +160,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="regex">
<properties>
<help>Regular expression to match against an AS path</help>
@@ -183,7 +183,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this BGP community list</help>
@@ -197,7 +197,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="regex">
<properties>
<help>Regular expression to match against a community-list</help>
@@ -243,7 +243,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this BGP extended community list</help>
@@ -257,7 +257,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="regex">
<properties>
<help>Regular expression to match against an extended community list</help>
@@ -288,7 +288,7 @@
</valueHelp>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this BGP extended community list</help>
@@ -302,7 +302,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="regex">
<properties>
<help>Regular expression to match against a large community list</help>
@@ -329,7 +329,7 @@
<constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this prefix-list</help>
@@ -343,7 +343,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="ge">
<properties>
<help>Prefix length to match a netmask greater than or equal to it</help>
@@ -397,7 +397,7 @@
<constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this prefix-list6</help>
@@ -411,7 +411,7 @@
</properties>
<children>
#include <include/policy/action.xml.i>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<leafNode name="ge">
<properties>
<help>Prefix length to match a netmask greater than or equal to it</help>
@@ -465,7 +465,7 @@
<constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
</properties>
<children>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Rule for this route-map</help>
@@ -500,7 +500,7 @@
</valueHelp>
</properties>
</leafNode>
- #include <include/policy/description.xml.i>
+ #include <include/generic-description.xml.i>
<node name="match">
<properties>
<help>Route parameters to match</help>
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 7b1b3a595..ff60bb82f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -64,6 +64,7 @@
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
+ <defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="mode">
<properties>
@@ -83,6 +84,7 @@
<regex>^(tunnel|transport)$</regex>
</constraint>
</properties>
+ <defaultValue>tunnel</defaultValue>
</leafNode>
<leafNode name="pfs">
<properties>
@@ -92,95 +94,95 @@
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Enable PFS. Use ike-groups dh-group (default)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024) - default</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
- <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description>
+ <description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
- <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
- <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description>
+ <description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
- <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description>
+ <description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
- <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description>
+ <description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
- <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description>
+ <description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
- <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description>
+ <description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
- <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description>
+ <description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
- <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description>
+ <description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
- <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description>
+ <description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
- <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description>
+ <description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
- <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description>
+ <description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
- <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description>
+ <description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
- <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description>
+ <description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
- <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description>
+ <description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
- <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description>
+ <description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
- <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description>
+ <description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
- <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description>
+ <description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
- <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description>
+ <description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
- <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description>
+ <description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
- <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description>
+ <description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
- <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description>
+ <description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
@@ -190,6 +192,7 @@
<regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
</constraint>
</properties>
+ <defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
@@ -341,6 +344,7 @@
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
+ <defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="mobike">
<properties>
@@ -521,100 +525,109 @@
</leafNode>
</children>
</node>
- <node name="logging">
+ <node name="log">
<properties>
<help>IPsec logging</help>
</properties>
<children>
- <leafNode name="log-level">
+ <leafNode name="level">
<properties>
<help>strongSwan Logger Level</help>
<valueHelp>
- <format>u32:0-2</format>
- <description>Logger Verbosity Level (default 0)</description>
+ <format>u32:0</format>
+ <description>Very basic auditing logs e.g. SA up/SA down (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1</format>
+ <description>Generic control flow with errors, a good default to see whats going on</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2</format>
+ <description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2"/>
</constraint>
</properties>
+ <defaultValue>0</defaultValue>
</leafNode>
- <leafNode name="log-modes">
+ <leafNode name="subsystem">
<properties>
- <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help>
+ <help>Subsystem in the daemon the log comes from</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
<valueHelp>
<format>dmn</format>
- <description>Debug log option for strongSwan</description>
+ <description>Main daemon setup/cleanup/signal handling</description>
</valueHelp>
<valueHelp>
<format>mgr</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE_SA manager, handling synchronization for IKE_SA access</description>
</valueHelp>
<valueHelp>
<format>ike</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE_SA/ISAKMP SA</description>
</valueHelp>
<valueHelp>
<format>chd</format>
- <description>Debug log option for strongSwan</description>
+ <description>CHILD_SA/IPsec SA</description>
</valueHelp>
<valueHelp>
<format>job</format>
- <description>Debug log option for strongSwan</description>
+ <description>Jobs queuing/processing and thread pool management</description>
</valueHelp>
<valueHelp>
<format>cfg</format>
- <description>Debug log option for strongSwan</description>
+ <description>Configuration management and plugins</description>
</valueHelp>
<valueHelp>
<format>knl</format>
- <description>Debug log option for strongSwan</description>
+ <description>IPsec/Networking kernel interface</description>
</valueHelp>
<valueHelp>
<format>net</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE network communication</description>
</valueHelp>
<valueHelp>
<format>asn</format>
- <description>Debug log option for strongSwan</description>
+ <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
</valueHelp>
<valueHelp>
<format>enc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Packet encoding/decoding encryption/decryption operations</description>
</valueHelp>
<valueHelp>
<format>lib</format>
- <description>Debug log option for strongSwan</description>
+ <description>libstrongswan library messages</description>
</valueHelp>
<valueHelp>
<format>esp</format>
- <description>Debug log option for strongSwan</description>
+ <description>libipsec library messages</description>
</valueHelp>
<valueHelp>
<format>tls</format>
- <description>Debug log option for strongSwan</description>
+ <description> libtls library messages</description>
</valueHelp>
<valueHelp>
<format>tnc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Trusted Network Connect</description>
</valueHelp>
<valueHelp>
<format>imc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Integrity Measurement Collector</description>
</valueHelp>
<valueHelp>
<format>imv</format>
- <description>Debug log option for strongSwan</description>
+ <description>Integrity Measurement Verifier</description>
</valueHelp>
<valueHelp>
<format>pts</format>
- <description>Debug log option for strongSwan</description>
+ <description> Platform Trust Service</description>
</valueHelp>
<valueHelp>
<format>any</format>
- <description>Debug log option for strongSwan</description>
+ <description>Any subsystem</description>
</valueHelp>
<constraint>
<regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
@@ -688,27 +701,13 @@
</leafNode>
</children>
</node>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>IKE group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
</children>
</tagNode>
<node name="site-to-site">
<properties>
- <help>Site to site VPN</help>
+ <help>Site-to-site VPN</help>
</properties>
<children>
<tagNode name="peer">
@@ -738,15 +737,8 @@
<help>Peer authentication [REQUIRED]</help>
</properties>
<children>
- <leafNode name="id">
- <properties>
- <help>ID for peer authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for peer authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
@@ -799,15 +791,6 @@
<valueless/>
</properties>
</leafNode>
- <node name="x509">
- <properties>
- <help>X.509 certificate</help>
- </properties>
- <children>
- #include <include/pki/certificate-key.xml.i>
- #include <include/pki/ca-certificate.xml.i>
- </children>
- </node>
</children>
</node>
<leafNode name="connection-type">
@@ -837,12 +820,7 @@
</completionHelp>
</properties>
</leafNode>
- <leafNode name="description">
- <properties>
- <help>VPN peer description</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/generic-description.xml.i>
<leafNode name="dhcp-interface">
<properties>
<help>DHCP interface to listen on</help>
@@ -870,14 +848,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>Internet Key Exchange (IKE) group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
@@ -936,14 +907,7 @@
</properties>
<children>
#include <include/generic-disable-node.xml.i>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/esp-group.xml.i>
<node name="local">
<properties>
<help>Local parameters for interesting traffic</help>
@@ -1033,14 +997,7 @@
<help>VTI tunnel interface associated with this configuration [REQUIRED]</help>
</properties>
</leafNode>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/esp-group.xml.i>
</children>
</node>
</children>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 5c12e9914..f03fd7ee7 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -387,3 +387,49 @@ def get_ip(interface):
""" Get interface IP addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr()
+
+@register_filter('get_esp_ike_cipher')
+def get_esp_ike_cipher(group_config):
+ pfs_lut = {
+ 'dh-group1' : 'modp768',
+ 'dh-group2' : 'modp1024',
+ 'dh-group5' : 'modp1536',
+ 'dh-group14' : 'modp2048',
+ 'dh-group15' : 'modp3072',
+ 'dh-group16' : 'modp4096',
+ 'dh-group17' : 'modp6144',
+ 'dh-group18' : 'modp8192',
+ 'dh-group19' : 'ecp256',
+ 'dh-group20' : 'ecp384',
+ 'dh-group21' : 'ecp512',
+ 'dh-group22' : 'modp1024s160',
+ 'dh-group23' : 'modp2048s224',
+ 'dh-group24' : 'modp2048s256',
+ 'dh-group25' : 'ecp192',
+ 'dh-group26' : 'ecp224',
+ 'dh-group27' : 'ecp224bp',
+ 'dh-group28' : 'ecp256bp',
+ 'dh-group29' : 'ecp384bp',
+ 'dh-group30' : 'ecp512bp',
+ 'dh-group31' : 'curve25519',
+ 'dh-group32' : 'curve448'
+ }
+
+ ciphers = []
+ if 'proposal' in group_config:
+ for priority, proposal in group_config['proposal'].items():
+ # both encryption and hash need to be specified for a proposal
+ if not {'encryption', 'hash'} <= set(proposal):
+ continue
+
+ tmp = '{encryption}-{hash}'.format(**proposal)
+ if 'dh_group' in proposal:
+ tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ]
+ elif 'pfs' in group_config and group_config['pfs'] != 'disable':
+ group = group_config['pfs']
+ if group_config['pfs'] == 'enable':
+ group = 'dh-group2'
+ tmp += '-' + pfs_lut[group]
+
+ ciphers.append(tmp)
+ return ciphers
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 9c0ad2075..fda8b74b1 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -18,8 +18,9 @@ import os
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
-
-from vyos.util import call, process_named_running, read_file
+from vyos.util import call
+from vyos.util import process_named_running
+from vyos.util import read_file
ethernet_path = ['interfaces', 'ethernet']
tunnel_path = ['interfaces', 'tunnel']
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ce72ee094..d1b29ee9a 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -23,6 +23,7 @@ from time import sleep
from vyos.config import Config
from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
+from vyos.configdict import dict_merge
from vyos.ifconfig import Interface
from vyos.pki import wrap_certificate
from vyos.pki import wrap_crl
@@ -35,50 +36,11 @@ from vyos.util import call
from vyos.util import dict_search
from vyos.util import process_named_running
from vyos.util import run
+from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-authby_translate = {
- 'pre-shared-secret': 'psk',
- 'rsa': 'pubkey',
- 'x509': 'pubkey'
-}
-
-default_pfs = 'dh-group2'
-pfs_translate = {
- 'dh-group1' : 'modp768',
- 'dh-group2' : 'modp1024',
- 'dh-group5' : 'modp1536',
- 'dh-group14' : 'modp2048',
- 'dh-group15' : 'modp3072',
- 'dh-group16' : 'modp4096',
- 'dh-group17' : 'modp6144',
- 'dh-group18' : 'modp8192',
- 'dh-group19' : 'ecp256',
- 'dh-group20' : 'ecp384',
- 'dh-group21' : 'ecp512',
- 'dh-group22' : 'modp1024s160',
- 'dh-group23' : 'modp2048s224',
- 'dh-group24' : 'modp2048s256',
- 'dh-group25' : 'ecp192',
- 'dh-group26' : 'ecp224',
- 'dh-group27' : 'ecp224bp',
- 'dh-group28' : 'ecp256bp',
- 'dh-group29' : 'ecp384bp',
- 'dh-group30' : 'ecp512bp',
- 'dh-group31' : 'curve25519',
- 'dh-group32' : 'curve448'
-}
-
-any_log_modes = [
- 'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn',
- 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'
-]
-
-ike_ciphers = {}
-esp_ciphers = {}
-
dhcp_wait_attempts = 2
dhcp_wait_sleep = 1
@@ -112,54 +74,43 @@ def get_config(config=None):
ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
- ipsec['dhcp_no_address'] = {}
- ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface'])
- ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings'])
- ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
- ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
- ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
- default_ike_pfs = None
-
- if 'ike_group' in ipsec:
- for group, ike_conf in ipsec['ike_group'].items():
- if 'proposal' in ike_conf:
- ciphers = []
- for i in ike_conf['proposal']:
- proposal = ike_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- pfs = ('dh-group' + proposal['dh_group']) if 'dh_group' in proposal else default_pfs
-
- if not default_ike_pfs:
- default_ike_pfs = pfs
-
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- ike_ciphers[group] = ','.join(ciphers)
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_values = defaults(base)
+ # XXX: T2665: we must safely remove default values for tag nodes, those are
+ # added in a more fine grained way later on
+ del default_values['esp_group']
+ del default_values['ike_group']
+ ipsec = dict_merge(default_values, ipsec)
if 'esp_group' in ipsec:
- for group, esp_conf in ipsec['esp_group'].items():
- pfs = esp_conf['pfs'] if 'pfs' in esp_conf else 'enable'
-
- if pfs == 'disable':
- pfs = None
-
- if pfs == 'enable':
- pfs = default_ike_pfs
+ default_values = defaults(base + ['esp-group'])
+ for group in ipsec['esp_group']:
+ ipsec['esp_group'][group] = dict_merge(default_values,
+ ipsec['esp_group'][group])
- if 'proposal' in esp_conf:
- ciphers = []
- for i in esp_conf['proposal']:
- proposal = esp_conf['proposal'][i]
- enc = proposal['encryption'] if 'encryption' in proposal else None
- hash = proposal['hash'] if 'hash' in proposal else None
- if enc and hash:
- ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}")
- esp_ciphers[group] = ','.join(ciphers)
+ if 'ike_group' in ipsec:
+ default_values = defaults(base + ['ike-group'])
+ for group in ipsec['ike_group']:
+ ipsec['ike_group'][group] = dict_merge(default_values,
+ ipsec['ike_group'][group])
+ ipsec['dhcp_no_address'] = {}
+ ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
+ 'interface'])
+ ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access',
+ 'ipsec-settings'])
+ ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
+ ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+ ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'],
+ key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ import pprint
+ pprint.pprint(ipsec)
return ipsec
def get_rsa_local_key(ipsec):
@@ -361,67 +312,55 @@ def generate(ipsec):
os.unlink(config_file)
return
- data = {}
- if ipsec:
- if ipsec['dhcp_no_address']:
- with open(DHCP_HOOK_IFLIST, 'w') as f:
- f.write(" ".join(ipsec['dhcp_no_address'].values()))
+ if ipsec['dhcp_no_address']:
+ with open(DHCP_HOOK_IFLIST, 'w') as f:
+ f.write(" ".join(ipsec['dhcp_no_address'].values()))
- data = ipsec
- data['authby'] = authby_translate
- data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers}
- data['rsa_local_key'] = verify_rsa_local_key(ipsec)
+ data = ipsec
+ data['rsa_local_key'] = verify_rsa_local_key(ipsec)
- for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
- if not os.path.exists(path):
- os.mkdir(path, mode=0o755)
+ for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]:
+ if not os.path.exists(path):
+ os.mkdir(path, mode=0o755)
- if not os.path.exists(KEY_PATH):
- os.mkdir(KEY_PATH, mode=0o700)
+ if not os.path.exists(KEY_PATH):
+ os.mkdir(KEY_PATH, mode=0o700)
- if 'site_to_site' in data and 'peer' in data['site_to_site']:
- for peer, peer_conf in ipsec['site_to_site']['peer'].items():
- if peer in ipsec['dhcp_no_address']:
- continue
+ if 'site_to_site' in data and 'peer' in data['site_to_site']:
+ for peer, peer_conf in ipsec['site_to_site']['peer'].items():
+ if peer in ipsec['dhcp_no_address']:
+ continue
- if peer_conf['authentication']['mode'] == 'x509':
- generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
+ if peer_conf['authentication']['mode'] == 'x509':
+ generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509'])
- local_ip = ''
- if 'local_address' in peer_conf:
- local_ip = peer_conf['local_address']
- elif 'dhcp_interface' in peer_conf:
- local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+ local_ip = ''
+ if 'local_address' in peer_conf:
+ local_ip = peer_conf['local_address']
+ elif 'dhcp_interface' in peer_conf:
+ local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
- data['site_to_site']['peer'][peer]['local_address'] = local_ip
+ data['site_to_site']['peer'][peer]['local_address'] = local_ip
- if 'tunnel' in peer_conf:
- for tunnel, tunnel_conf in peer_conf['tunnel'].items():
- local_prefixes = dict_search('local.prefix', tunnel_conf)
- remote_prefixes = dict_search('remote.prefix', tunnel_conf)
+ if 'tunnel' in peer_conf:
+ for tunnel, tunnel_conf in peer_conf['tunnel'].items():
+ local_prefixes = dict_search('local.prefix', tunnel_conf)
+ remote_prefixes = dict_search('remote.prefix', tunnel_conf)
- if not local_prefixes or not remote_prefixes:
- continue
+ if not local_prefixes or not remote_prefixes:
+ continue
- passthrough = []
+ passthrough = []
- for local_prefix in local_prefixes:
- for remote_prefix in remote_prefixes:
- local_net = ipaddress.ip_network(local_prefix)
- remote_net = ipaddress.ip_network(remote_prefix)
- if local_net.overlaps(remote_net):
- passthrough.append(local_prefix)
+ for local_prefix in local_prefixes:
+ for remote_prefix in remote_prefixes:
+ local_net = ipaddress.ip_network(local_prefix)
+ remote_net = ipaddress.ip_network(remote_prefix)
+ if local_net.overlaps(remote_net):
+ passthrough.append(local_prefix)
- data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
+ data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
- if 'logging' in ipsec and 'log_modes' in ipsec['logging']:
- modes = ipsec['logging']['log_modes']
- level = ipsec['logging']['log_level'] if 'log_level' in ipsec['logging'] else '1'
- if isinstance(modes, str):
- modes = [modes]
- if 'any' in modes:
- modes = any_log_modes
- data['charondebug'] = f' {level}, '.join(modes) + ' ' + level
render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data)
render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data)
@@ -448,7 +387,7 @@ def apply(ipsec):
if not ipsec:
call('sudo /usr/sbin/ipsec stop')
else:
- should_start = ('profile' in ipsec or dict_search('site_to_site.peer', ipsec))
+ should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec)
if not process_named_running('charon') and should_start:
args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else ''
diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6
index 86be55d13..ba5ce0fca 100755
--- a/src/migration-scripts/ipsec/5-to-6
+++ b/src/migration-scripts/ipsec/5-to-6
@@ -60,6 +60,20 @@ if config.exists(base + ['site-to-site', 'peer']):
if config.exists(public_networks):
config.delete(public_networks)
+# Rename "logging log-level" and "logging log-modes" to something more human friendly
+log = base + ['logging']
+if config.exists(log):
+ config.rename(log, 'log')
+ log = base + ['log']
+
+log_level = log + ['log-level']
+if config.exists(log_level):
+ config.rename(log_level, 'level')
+
+log_mode = log + ['log-modes']
+if config.exists(log_mode):
+ config.rename(log_mode, 'subsystem')
+
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index 67c0fe84a..2d065f545 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase):
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48'))
self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64'))
self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64'))
+
+ def test_cipher_to_string(self):
+ ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256'
+ IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024'
+
+ data = {
+ 'esp_group': {
+ 'ESP_DEFAULT': {
+ 'compression': 'disable',
+ 'lifetime': '3600',
+ 'mode': 'tunnel',
+ 'pfs': 'dh-group19',
+ 'proposal': {
+ '10': {
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256',
+ },
+ '20': {
+ 'encryption': 'aes128ccm64',
+ 'hash': 'sha256',
+ }
+ }
+ }
+ },
+ 'ike_group': {
+ 'IKEv2_DEFAULT': {
+ 'close_action': 'none',
+ 'dead_peer_detection': {
+ 'action': 'hold',
+ 'interval': '30',
+ 'timeout': '120'
+ },
+ 'ikev2_reauth': 'no',
+ 'key_exchange': 'ikev2',
+ 'lifetime': '10800',
+ 'mobike': 'disable',
+ 'proposal': {
+ '10': {
+ 'dh_group': '19',
+ 'encryption': 'aes256gcm128',
+ 'hash': 'sha256'
+ },
+ '20': {
+ 'dh_group': '2',
+ 'encryption': 'aes128ccm128',
+ 'hash': 'md5_128'
+ },
+ }
+ }
+ },
+ }
+
+ for group_name, group_config in data['esp_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(ESP_DEFAULT, ','.join(ciphers))
+
+ for group_name, group_config in data['ike_group'].items():
+ ciphers = vyos.template.get_esp_ike_cipher(group_config)
+ self.assertIn(IKEv2_DEFAULT, ','.join(ciphers))
+