1 files changed, 42 insertions, 14 deletions

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index e22b7550c..2754314f7 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2024 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -64,6 +64,7 @@ swanctl_dir        = '/etc/swanctl'
 charon_conf        = '/etc/strongswan.d/charon.conf'
 charon_dhcp_conf   = '/etc/strongswan.d/charon/dhcp.conf'
 charon_radius_conf = '/etc/strongswan.d/charon/eap-radius.conf'
+charon_systemd_conf = '/etc/strongswan.d/charon-systemd.conf'
 interface_conf     = '/etc/strongswan.d/interfaces_use.conf'
 swanctl_conf       = f'{swanctl_dir}/swanctl.conf'
 
@@ -86,8 +87,6 @@ def get_config(config=None):
         conf = Config()
     base = ['vpn', 'ipsec']
     l2tp_base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings']
-    if not conf.exists(base):
-        return None
 
     # retrieve common dictionary keys
     ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
@@ -95,6 +94,14 @@ def get_config(config=None):
                                  get_first_key=True,
                                  with_pki=True)
 
+    ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
+    if ipsec['nhrp_exists']:
+        set_dependents('nhrp', conf)
+
+    if not conf.exists(base):
+        ipsec.update({'deleted' : ''})
+        return ipsec
+
     # We have to cleanup the default dict, as default values could
     # enable features which are not explicitly enabled on the
     # CLI. E.g. dead-peer-detection defaults should not be injected
@@ -115,7 +122,6 @@ def get_config(config=None):
     ipsec['dhcp_no_address'] = {}
     ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
-    ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
 
     if ipsec['nhrp_exists']:
         set_dependents('nhrp', conf)
@@ -151,6 +157,8 @@ def get_config(config=None):
                         _, vti = get_interface_dict(conf, ['interfaces', 'vti'], vti_interface)
                         ipsec['vti_interface_dicts'][vti_interface] = vti
 
+    ipsec['vpp_ipsec_exists'] = conf.exists(['vpp', 'settings', 'ipsec'])
+
     return ipsec
 
 def get_dhcp_address(iface):
@@ -196,8 +204,8 @@ def verify_pki_rsa(pki, rsa_conf):
     return True
 
 def verify(ipsec):
-    if not ipsec:
-        return None
+    if not ipsec or 'deleted' in ipsec:
+        return
 
     if 'authentication' in ipsec:
         if 'psk' in ipsec['authentication']:
@@ -479,6 +487,17 @@ def verify(ipsec):
             else:
                 raise ConfigError(f"Missing ike-group on site-to-site peer {peer}")
 
+            # verify encryption algorithm compatibility for IKE with VPP
+            if ipsec['vpp_ipsec_exists']:
+                ike_group = ipsec['ike_group'][peer_conf['ike_group']]
+                for proposal, proposal_config in ike_group.get('proposal', {}).items():
+                    algs = ['gmac', 'serpent', 'twofish']
+                    if any(alg in proposal_config['encryption'] for alg in algs):
+                        raise ConfigError(
+                            f'Encryption algorithm {proposal_config["encryption"]} cannot be used '
+                            f'for IKE proposal {proposal} for site-to-site peer {peer} with VPP'
+                        )
+
             if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']:
                 raise ConfigError(f"Missing authentication on site-to-site peer {peer}")
 
@@ -557,7 +576,7 @@ def verify(ipsec):
 
                     esp_group_name = tunnel_conf['esp_group'] if 'esp_group' in tunnel_conf else peer_conf['default_esp_group']
 
-                    if esp_group_name not in ipsec['esp_group']:
+                    if esp_group_name not in ipsec.get('esp_group'):
                         raise ConfigError(f"Invalid esp-group on tunnel {tunnel} for site-to-site peer {peer}")
 
                     esp_group = ipsec['esp_group'][esp_group_name]
@@ -569,6 +588,18 @@ def verify(ipsec):
                         if ('local' in tunnel_conf and 'prefix' in tunnel_conf['local']) or ('remote' in tunnel_conf and 'prefix' in tunnel_conf['remote']):
                             raise ConfigError(f"Local/remote prefix cannot be used with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}")
 
+                    # verify ESP encryption algorithm compatibility with VPP
+                    # because Marvel plugin for VPP doesn't support all algorithms that Strongswan does
+                    if ipsec['vpp_ipsec_exists']:
+                        for proposal, proposal_config in esp_group.get('proposal', {}).items():
+                            algs = ['aes128', 'aes192', 'aes256', 'aes128gcm128', 'aes192gcm128', 'aes256gcm128']
+                            if proposal_config['encryption'] not in algs:
+                                raise ConfigError(
+                                    f'Encryption algorithm {proposal_config["encryption"]} cannot be used '
+                                    f'for ESP proposal {proposal} on tunnel {tunnel} for site-to-site peer {peer} with VPP'
+                                )
+
+
 def cleanup_pki_files():
     for path in [CERT_PATH, CA_PATH, CRL_PATH, KEY_PATH, PUBKEY_PATH]:
         if not os.path.exists(path):
@@ -624,7 +655,7 @@ def generate_pki_files_rsa(pki, rsa_conf):
 def generate(ipsec):
     cleanup_pki_files()
 
-    if not ipsec:
+    if not ipsec or 'deleted' in ipsec:
         for config_file in [charon_dhcp_conf, charon_radius_conf, interface_conf, swanctl_conf]:
             if os.path.isfile(config_file):
                 os.unlink(config_file)
@@ -715,21 +746,19 @@ def generate(ipsec):
     render(charon_conf, 'ipsec/charon.j2', ipsec)
     render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.j2', ipsec)
     render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.j2', ipsec)
+    render(charon_systemd_conf, 'ipsec/charon_systemd.conf.j2', ipsec)
     render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec)
     render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec)
 
 
 def apply(ipsec):
     systemd_service = 'strongswan.service'
-    if not ipsec:
+    if not ipsec or 'deleted' in ipsec:
         call(f'systemctl stop {systemd_service}')
-
         if vti_updown_db_exists():
             remove_vti_updown_db()
-
     else:
         call(f'systemctl reload-or-restart {systemd_service}')
-
         if ipsec['enabled_vti_interfaces']:
             with open_vti_updown_db_for_create_or_update() as db:
                 db.removeAllOtherInterfaces(ipsec['enabled_vti_interfaces'])
@@ -737,7 +766,7 @@ def apply(ipsec):
                 db.commit(lambda interface: ipsec['vti_interface_dicts'][interface])
         elif vti_updown_db_exists():
             remove_vti_updown_db()
-
+    if ipsec:
         if ipsec.get('nhrp_exists', False):
             try:
                 call_dependents()
@@ -746,7 +775,6 @@ def apply(ipsec):
                 # ConfigError("ConfigError('Interface ethN requires an IP address!')")
                 pass
 
-
 if __name__ == '__main__':
     try:
         ipsec = get_config()