diff options
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 10 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 18 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 6 | ||||
| -rw-r--r-- | python/vyos/ifconfig/interface.py | 58 | ||||
| -rw-r--r-- | python/vyos/ifconfig/l2tpv3.py | 12 | ||||
| -rw-r--r-- | python/vyos/utils/network.py | 28 | ||||
| -rw-r--r-- | smoketest/scripts/cli/base_interfaces_test.py | 10 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_interfaces_l2tpv3.py | 5 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 130 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 16 |
10 files changed, 251 insertions, 42 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 58f0199fa..3a9af2c94 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -63,6 +63,11 @@ life_packets = {{ vti_esp.life_packets }} {% endif %} life_time = {{ vti_esp.lifetime }}s +{% if vti_esp.disable_rekey is vyos_defined %} + rekey_bytes = 0 + rekey_packets = 0 + rekey_time = 0s +{% endif %} local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" @@ -108,6 +113,11 @@ life_packets = {{ tunnel_esp.life_packets }} {% endif %} life_time = {{ tunnel_esp.lifetime }}s +{% if tunnel_esp.disable_rekey is vyos_defined %} + rekey_bytes = 0 + rekey_packets = 0 + rekey_time = 0s +{% endif %} {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local.prefix is vyos_defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index 6bced88c7..e384ae972 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -8,6 +8,10 @@ proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} send_certreq = no +{% if ike.dead_peer_detection is vyos_defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} rekey_time = {{ ike.lifetime }}s keyingtries = 0 {% if rw_conf.unique is vyos_defined %} @@ -44,8 +48,18 @@ children { ikev2-vpn { esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} - rekey_time = {{ esp.lifetime }}s - rand_time = 540s +{% if esp.life_bytes is vyos_defined %} + life_bytes = {{ esp.life_bytes }} +{% endif %} +{% if esp.life_packets is vyos_defined %} + life_packets = {{ esp.life_packets }} +{% endif %} + life_time = {{ esp.lifetime }}s +{% if esp.disable_rekey is vyos_defined %} + rekey_bytes = 0 + rekey_packets = 0 + rekey_time = 0s +{% endif %} dpd_action = clear inactivity = {{ rw_conf.timeout }} {% if rw_conf.replay_window is vyos_defined %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 7f425d982..4a7fde75b 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -99,6 +99,12 @@ </constraint> </properties> </leafNode> + <leafNode name="disable-rekey"> + <properties> + <help>Do not locally initiate a re-key of the SA, remote peer must re-key before expiration</help> + <valueless/> + </properties> + </leafNode> <leafNode name="mode"> <properties> <help>ESP mode</help> diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index fd4f5b269..f29615a44 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -371,6 +371,9 @@ class Interface(Control): # can not delete ALL interfaces, see below self.flush_addrs() + # remove interface from conntrack VRF interface map + self._del_interface_from_ct_iface_map() + # --------------------------------------------------------------------- # Any class can define an eternal regex in its definition # interface matching the regex will not be deleted @@ -388,33 +391,20 @@ class Interface(Control): cmd = 'ip link del dev {ifname}'.format(**self.config) return self._cmd(cmd) - def _set_vrf_ct_zone(self, vrf, old_vrf_tableid=None): - """ - Add/Remove rules in nftables to associate traffic in VRF to an - individual conntack zone - """ + def _nft_check_and_run(self, nft_command): + # Check if deleting is possible first to avoid raising errors + _, err = self._popen(f'nft --check {nft_command}') + if not err: + # Remove map element + self._cmd(f'nft {nft_command}') - def nft_check_and_run(nft_command): - # Check if deleting is possible first to avoid raising errors - _, err = self._popen(f'nft --check {nft_command}') - if not err: - # Remove map element - self._cmd(f'nft {nft_command}') + def _del_interface_from_ct_iface_map(self): + nft_command = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}' + self._nft_check_and_run(nft_command) - if vrf: - # Get routing table ID for VRF - vrf_table_id = get_vrf_tableid(vrf) - # Add map element with interface and zone ID - if vrf_table_id: - # delete old table ID from nftables if it has changed, e.g. interface moved to a different VRF - if old_vrf_tableid and old_vrf_tableid != int(vrf_table_id): - nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}' - nft_check_and_run(nft_del_element) - - self._cmd(f'nft add element inet vrf_zones ct_iface_map {{ "{self.ifname}" : {vrf_table_id} }}') - else: - nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}' - nft_check_and_run(nft_del_element) + def _add_interface_to_ct_iface_map(self, vrf_table_id: int): + nft_command = f'add element inet vrf_zones ct_iface_map {{ "{self.ifname}" : {vrf_table_id} }}' + self._nft_check_and_run(nft_command) def get_min_mtu(self): """ @@ -564,6 +554,10 @@ class Interface(Control): >>> Interface('eth0').set_vrf() """ + # Don't allow for netns yet + if 'netns' in self.config: + return False + tmp = self.get_interface('vrf') if tmp == vrf: return None @@ -571,7 +565,19 @@ class Interface(Control): # Get current VRF table ID old_vrf_tableid = get_vrf_tableid(self.ifname) self.set_interface('vrf', vrf) - self._set_vrf_ct_zone(vrf, old_vrf_tableid) + + if vrf: + # Get routing table ID number for VRF + vrf_table_id = get_vrf_tableid(vrf) + # Add map element with interface and zone ID + if vrf_table_id: + # delete old table ID from nftables if it has changed, e.g. interface moved to a different VRF + if old_vrf_tableid and old_vrf_tableid != int(vrf_table_id): + self._del_interface_from_ct_iface_map() + self._add_interface_to_ct_iface_map(vrf_table_id) + else: + self._del_interface_from_ct_iface_map() + return True def set_arp_cache_tmo(self, tmo): diff --git a/python/vyos/ifconfig/l2tpv3.py b/python/vyos/ifconfig/l2tpv3.py index 85a89ef8b..c1f2803ee 100644 --- a/python/vyos/ifconfig/l2tpv3.py +++ b/python/vyos/ifconfig/l2tpv3.py @@ -90,9 +90,17 @@ class L2TPv3If(Interface): """ if self.exists(self.ifname): - # interface is always A/D down. It needs to be enabled explicitly self.set_admin_state('down') + # remove all assigned IP addresses from interface - this is a bit redundant + # as the kernel will remove all addresses on interface deletion + self.flush_addrs() + + # remove interface from conntrack VRF interface map, here explicitly and do not + # rely on the base class implementation as the interface will + # vanish as soon as the l2tp session is deleted + self._del_interface_from_ct_iface_map() + if {'tunnel_id', 'session_id'} <= set(self.config): cmd = 'ip l2tp del session tunnel_id {tunnel_id}' cmd += ' session_id {session_id}' @@ -101,3 +109,5 @@ class L2TPv3If(Interface): if 'tunnel_id' in self.config: cmd = 'ip l2tp del tunnel tunnel_id {tunnel_id}' self._cmd(cmd.format(**self.config)) + + # No need to call the baseclass as the interface is now already gone diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py index 8befe370f..55798651f 100644 --- a/python/vyos/utils/network.py +++ b/python/vyos/utils/network.py @@ -530,3 +530,31 @@ def get_vxlan_vni_filter(interface: str) -> list: os_configured_vnis.append(str(vniStart)) return os_configured_vnis + +def get_nft_vrf_zone_mapping() -> dict: + """ + Retrieve current nftables conntrack mapping list from Kernel + + returns: [{'interface': 'red', 'vrf_tableid': 1000}, + {'interface': 'eth2', 'vrf_tableid': 1000}, + {'interface': 'blue', 'vrf_tableid': 2000}] + """ + from json import loads + from jmespath import search + from vyos.utils.process import cmd + output = [] + tmp = loads(cmd('sudo nft -j list table inet vrf_zones')) + # {'nftables': [{'metainfo': {'json_schema_version': 1, + # 'release_name': 'Old Doc Yak #3', + # 'version': '1.0.9'}}, + # {'table': {'family': 'inet', 'handle': 6, 'name': 'vrf_zones'}}, + # {'map': {'elem': [['eth0', 666], + # ['dum0', 666], + # ['wg500', 666], + # ['bond10.666', 666]], + vrf_list = search('nftables[].map.elem | [0]', tmp) + if not vrf_list: + return output + for (vrf_name, vrf_id) in vrf_list: + output.append({'interface' : vrf_name, 'vrf_tableid' : vrf_id}) + return output diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index 66b789e94..e7e29387f 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -15,7 +15,6 @@ from netifaces import AF_INET from netifaces import AF_INET6 from netifaces import ifaddresses -from netifaces import interfaces from base_vyostest_shim import VyOSUnitTestSHIM @@ -25,13 +24,15 @@ from vyos.ifconfig import Interface from vyos.ifconfig import Section from vyos.utils.file import read_file from vyos.utils.dict import dict_search +from vyos.utils.process import cmd from vyos.utils.process import process_named_running from vyos.utils.network import get_interface_config from vyos.utils.network import get_interface_vrf from vyos.utils.network import get_vrf_tableid -from vyos.utils.process import cmd +from vyos.utils.network import interface_exists from vyos.utils.network import is_intf_addr_assigned from vyos.utils.network import is_ipv6_link_local +from vyos.utils.network import get_nft_vrf_zone_mapping from vyos.xml_ref import cli_defined dhclient_base_dir = directories['isc_dhclient_dir'] @@ -117,8 +118,11 @@ class BasicInterfaceTest: self.cli_commit() # Verify that no previously interface remained on the system + ct_map = get_nft_vrf_zone_mapping() for intf in self._interfaces: - self.assertNotIn(intf, interfaces()) + self.assertFalse(interface_exists(intf)) + for map_entry in ct_map: + self.assertNotEqual(intf, map_entry['interface']) # No daemon started during tests should remain running for daemon in ['dhcp6c', 'dhclient']: diff --git a/smoketest/scripts/cli/test_interfaces_l2tpv3.py b/smoketest/scripts/cli/test_interfaces_l2tpv3.py index af3d49f75..abc55e6d2 100755 --- a/smoketest/scripts/cli/test_interfaces_l2tpv3.py +++ b/smoketest/scripts/cli/test_interfaces_l2tpv3.py @@ -20,7 +20,7 @@ import unittest from base_interfaces_test import BasicInterfaceTest from vyos.utils.process import cmd - +from vyos.utils.kernel import unload_kmod class L2TPv3InterfaceTest(BasicInterfaceTest.TestCase): @classmethod def setUpClass(cls): @@ -62,7 +62,6 @@ if __name__ == '__main__': # reloaded on demand - not needed but test more and more features for module in ['l2tp_ip6', 'l2tp_ip', 'l2tp_eth', 'l2tp_eth', 'l2tp_netlink', 'l2tp_core']: - if os.path.exists(f'/sys/module/{module}'): - cmd(f'sudo rmmod {module}') + unload_kmod(module) unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 27356d70e..2dc66485b 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -252,6 +252,15 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): for line in swanctl_conf_lines: self.assertIn(line, swanctl_conf) + # if dpd is not specified it should not be enabled (see T6599) + swanctl_unexpected_lines = [ + f'dpd_timeout' + f'dpd_delay' + ] + + for unexpected_line in swanctl_unexpected_lines: + self.assertNotIn(unexpected_line, swanctl_conf) + swanctl_secrets_lines = [ f'id-{regex_uuid4} = "{local_id}"', f'id-{regex_uuid4} = "{remote_id}"', @@ -639,8 +648,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'auth = eap-mschapv2', f'eap_id = %any', f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', - f'rekey_time = {eap_lifetime}s', - f'rand_time = 540s', + f'life_time = {eap_lifetime}s', f'dpd_action = clear', f'replay_window = 32', f'inactivity = 28800', @@ -761,8 +769,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'auth = eap-tls', f'eap_id = %any', f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', - f'rekey_time = {eap_lifetime}s', - f'rand_time = 540s', + f'life_time = {eap_lifetime}s', f'dpd_action = clear', f'inactivity = 28800', f'local_ts = 0.0.0.0/0,::/0', @@ -876,8 +883,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): f'certs = peer1.pem', f'cacerts = MyVyOS-CA.pem,MyVyOS-IntCA.pem', f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', - f'rekey_time = {eap_lifetime}s', - f'rand_time = 540s', + f'life_time = {eap_lifetime}s', f'dpd_action = clear', f'inactivity = 28800', f'local_ts = 0.0.0.0/0,::/0', @@ -968,5 +974,117 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.tearDownPKI() + def test_remote_access_no_rekey(self): + # In some RA secnarios, disabling server-initiated rekey of IKE and CHILD SA is desired + self.setupPKI() + + ike_group = 'IKE-RW' + esp_group = 'ESP-RW' + + conn_name = 'vyos-rw' + local_address = '192.0.2.1' + ip_pool_name = 'ra-rw-ipv4' + ike_lifetime = '7200' + eap_lifetime = '3600' + local_id = 'ipsec.vyos.net' + + name_servers = ['172.16.254.100', '172.16.254.101'] + prefix = '172.16.250.0/28' + + # IKE + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '0']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '14']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '14']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3', 'dh-group', '2']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3', 'encryption', 'aes256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3', 'hash', 'sha256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'dh-group', '14']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'encryption', 'aes128gcm128']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'hash', 'sha256']) + + # ESP + self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime]) + self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'disable']) + self.cli_set(base_path + ['esp-group', esp_group, 'disable-rekey']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha512']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', 'aes256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'hash', 'sha384']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'encryption', 'aes256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'hash', 'sha256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4', 'encryption', 'aes256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4', 'hash', 'sha1']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'encryption', 'aes128gcm128']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'hash', 'sha256']) + + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'local-id', local_id]) + # Use client-mode x509 instead of default EAP-MSCHAPv2 + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'client-mode', 'x509']) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'server-mode', 'x509']) + + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'certificate', peer_name]) + # verify() - CA cert required for x509 auth + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name]) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', int_ca_name]) + + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group]) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group]) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address]) + self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name]) + + for ns in name_servers: + self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns]) + self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix]) + + self.cli_commit() + + # verify applied configuration + swanctl_conf = read_file(swanctl_file) + swanctl_lines = [ + f'{conn_name}', + f'remote_addrs = %any', + f'local_addrs = {local_address}', + f'proposals = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha256-modp1024,aes128gcm128-sha256-modp2048', + f'version = 2', + f'send_certreq = no', + f'rekey_time = 0s', + f'keyingtries = 0', + f'pools = {ip_pool_name}', + f'id = "{local_id}"', + f'auth = pubkey', + f'certs = peer1.pem', + f'cacerts = MyVyOS-CA.pem,MyVyOS-IntCA.pem', + f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256', + f'life_time = {eap_lifetime}s', + f'rekey_time = 0s', + f'dpd_action = clear', + f'inactivity = 28800', + f'local_ts = 0.0.0.0/0,::/0', + ] + for line in swanctl_lines: + self.assertIn(line, swanctl_conf) + + swanctl_pool_lines = [ + f'{ip_pool_name}', + f'addrs = {prefix}', + f'dns = {",".join(name_servers)}', + ] + for line in swanctl_pool_lines: + self.assertIn(line, swanctl_conf) + + # Check Root CA, Intermediate CA and Peer cert/key pair is present + self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}.pem'))) + self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem'))) + self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem'))) + + self.tearDownPKI() + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index dc78c755e..cf82b767f 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -24,6 +24,7 @@ from time import sleep from vyos.base import Warning from vyos.config import Config +from vyos.config import config_dict_merge from vyos.configdep import set_dependents from vyos.configdep import call_dependents from vyos.configdict import leaf_node_changed @@ -86,9 +87,22 @@ def get_config(config=None): ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True, - with_recursive_defaults=True, with_pki=True) + # We have to cleanup the default dict, as default values could + # enable features which are not explicitly enabled on the + # CLI. E.g. dead-peer-detection defaults should not be injected + # unless the feature is explicitly opted in to by setting the + # top-level node + default_values = conf.get_config_defaults(**ipsec.kwargs, recursive=True) + + if 'ike_group' in ipsec: + for name, ike in ipsec['ike_group'].items(): + if 'dead_peer_detection' not in ike: + del default_values['ike_group'][name]['dead_peer_detection'] + + ipsec = config_dict_merge(default_values, ipsec) + ipsec['dhcp_interfaces'] = set() ipsec['dhcp_no_address'] = {} ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes |