diff options
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 239 |
1 files changed, 172 insertions, 67 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 3fab8e868..d3065fc47 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -33,9 +33,12 @@ from vyos.pki import wrap_crl from vyos.pki import wrap_public_key from vyos.pki import wrap_private_key from vyos.template import ip_from_cidr +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 from vyos.template import render from vyos.validate import is_ipv6_link_local from vyos.util import call +from vyos.util import dict_search from vyos.util import dict_search_args from vyos.util import run from vyos.xml import defaults @@ -46,13 +49,14 @@ airbag.enable() dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 -swanctl_dir = '/etc/swanctl' -ipsec_conf = '/etc/ipsec.conf' -ipsec_secrets = '/etc/ipsec.secrets' -charon_conf = '/etc/strongswan.d/charon.conf' -charon_dhcp_conf = '/etc/strongswan.d/charon/dhcp.conf' -interface_conf = '/etc/strongswan.d/interfaces_use.conf' -swanctl_conf = f'{swanctl_dir}/swanctl.conf' +swanctl_dir = '/etc/swanctl' +ipsec_conf = '/etc/ipsec.conf' +ipsec_secrets = '/etc/ipsec.secrets' +charon_conf = '/etc/strongswan.d/charon.conf' +charon_dhcp_conf = '/etc/strongswan.d/charon/dhcp.conf' +charon_radius_conf = '/etc/strongswan.d/charon/eap-radius.conf' +interface_conf = '/etc/strongswan.d/interfaces_use.conf' +swanctl_conf = f'{swanctl_dir}/swanctl.conf' default_install_routes = 'yes' @@ -73,6 +77,7 @@ def get_config(config=None): else: conf = Config() base = ['vpn', 'ipsec'] + l2tp_base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings'] if not conf.exists(base): return None @@ -97,26 +102,51 @@ def get_config(config=None): ipsec['esp_group'][group]) if 'ike_group' in ipsec: default_values = defaults(base + ['ike-group']) + # proposal is a tag node which may come with individual defaults per node + if 'proposal' in default_values: + del default_values['proposal'] + for group in ipsec['ike_group']: ipsec['ike_group'][group] = dict_merge(default_values, ipsec['ike_group'][group]) - if 'remote_access' in ipsec: - default_values = defaults(base + ['remote-access']) - for rw in ipsec['remote_access']: - ipsec['remote_access'][rw] = dict_merge(default_values, - ipsec['remote_access'][rw]) + + if 'proposal' in ipsec['ike_group'][group]: + default_values = defaults(base + ['ike-group', 'proposal']) + for proposal in ipsec['ike_group'][group]['proposal']: + ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values, + ipsec['ike_group'][group]['proposal'][proposal]) + + if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: + default_values = defaults(base + ['remote-access', 'connection']) + for rw in ipsec['remote_access']['connection']: + ipsec['remote_access']['connection'][rw] = dict_merge(default_values, + ipsec['remote_access']['connection'][rw]) + + if 'remote_access' in ipsec and 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']: + default_values = defaults(base + ['remote-access', 'radius', 'server']) + for server in ipsec['remote_access']['radius']['server']: + ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values, + ipsec['remote_access']['radius']['server'][server]) ipsec['dhcp_no_address'] = {} ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes - ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', - 'interface']) - ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', - 'ipsec-settings']) + ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface']) ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + if tmp: + ipsec['l2tp'] = tmp + l2tp_defaults = defaults(l2tp_base) + ipsec['l2tp'] = dict_merge(l2tp_defaults, ipsec['l2tp']) + ipsec['l2tp_outside_address'] = conf.return_value(['vpn', 'l2tp', 'remote-access', 'outside-address']) + ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024' + ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1' + return ipsec def get_dhcp_address(iface): @@ -165,14 +195,43 @@ def verify(ipsec): if not ipsec: return None - if 'ipsec_interfaces' in ipsec and 'interface' in ipsec['ipsec_interfaces']: - interfaces = ipsec['ipsec_interfaces']['interface'] - if isinstance(interfaces, str): - interfaces = [interfaces] - - for ifname in interfaces: + if 'interfaces' in ipsec : + for ifname in ipsec['interface']: verify_interface_exists(ifname) + if 'l2tp' in ipsec: + if 'esp_group' in ipsec['l2tp']: + if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on L2TP remote-access config") + + if 'ike_group' in ipsec['l2tp']: + if 'ike_group' not in ipsec or ipsec['l2tp']['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on L2TP remote-access config") + + if 'authentication' not in ipsec['l2tp']: + raise ConfigError(f'Missing authentication settings on L2TP remote-access config') + + if 'mode' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing authentication mode on L2TP remote-access config') + + if not ipsec['l2tp_outside_address']: + raise ConfigError(f'Missing outside-address on L2TP remote-access config') + + if ipsec['l2tp']['authentication']['mode'] == 'pre-shared-secret': + if 'pre_shared_secret' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing pre shared secret on L2TP remote-access config') + + if ipsec['l2tp']['authentication']['mode'] == 'x509': + if 'x509' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing x509 settings on L2TP remote-access config') + + x509 = ipsec['l2tp']['authentication']['x509'] + + if 'ca_certificate' not in x509 or 'certificate' not in x509: + raise ConfigError(f'Missing x509 certificates on L2TP remote-access config') + + verify_pki_x509(ipsec['pki'], x509) + if 'profile' in ipsec: for profile, profile_conf in ipsec['profile'].items(): if 'esp_group' in profile_conf: @@ -191,35 +250,86 @@ def verify(ipsec): raise ConfigError(f"Missing authentication on {profile} profile") if 'remote_access' in ipsec: - for name, ra_conf in ipsec['remote_access'].items(): - if 'esp_group' in ra_conf: - if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']: - raise ConfigError(f"Invalid esp-group on {name} remote-access config") - else: - raise ConfigError(f"Missing esp-group on {name} remote-access config") - - if 'ike_group' in ra_conf: - if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']: - raise ConfigError(f"Invalid ike-group on {name} remote-access config") - else: - raise ConfigError(f"Missing ike-group on {name} remote-access config") - - if 'authentication' not in ra_conf: - raise ConfigError(f"Missing authentication on {name} remote-access config") - - if ra_conf['authentication']['server_mode'] == 'x509': - if 'x509' not in ra_conf['authentication']: - raise ConfigError(f"Missing x509 settings on {name} remote-access config") - - x509 = ra_conf['authentication']['x509'] - - if 'ca_certificate' not in x509 or 'certificate' not in x509: - raise ConfigError(f"Missing x509 certificates on {name} remote-access config") - - verify_pki_x509(ipsec['pki'], x509) - elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret': - if 'pre_shared_secret' not in ra_conf['authentication']: - raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + if 'connection' in ipsec['remote_access']: + for name, ra_conf in ipsec['remote_access']['connection'].items(): + if 'esp_group' in ra_conf: + if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on {name} remote-access config") + else: + raise ConfigError(f"Missing esp-group on {name} remote-access config") + + if 'ike_group' in ra_conf: + if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on {name} remote-access config") + + ike = ra_conf['ike_group'] + if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2': + raise ConfigError('IPSec remote-access connections requires IKEv2!') + + else: + raise ConfigError(f"Missing ike-group on {name} remote-access config") + + if 'authentication' not in ra_conf: + raise ConfigError(f"Missing authentication on {name} remote-access config") + + if ra_conf['authentication']['server_mode'] == 'x509': + if 'x509' not in ra_conf['authentication']: + raise ConfigError(f"Missing x509 settings on {name} remote-access config") + + x509 = ra_conf['authentication']['x509'] + + if 'ca_certificate' not in x509 or 'certificate' not in x509: + raise ConfigError(f"Missing x509 certificates on {name} remote-access config") + + verify_pki_x509(ipsec['pki'], x509) + elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret': + if 'pre_shared_secret' not in ra_conf['authentication']: + raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + + + if 'client_mode' in ra_conf['authentication']: + if ra_conf['authentication']['client_mode'] == 'eap-radius': + if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0: + raise ConfigError('RADIUS authentication requires at least one server') + + if 'pool' in ra_conf: + if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1: + raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!') + + for pool in ra_conf['pool']: + if pool == 'dhcp': + if dict_search('remote_access.dhcp.server', ipsec) == None: + raise ConfigError('IPSec DHCP server is not configured!') + + elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']: + raise ConfigError(f'Requested pool "{pool}" does not exist!') + + if 'pool' in ipsec['remote_access']: + for pool, pool_config in ipsec['remote_access']['pool'].items(): + if 'prefix' not in pool_config: + raise ConfigError(f'Missing madatory prefix option for pool "{pool}"!') + + if 'name_server' in pool_config: + if len(pool_config['name_server']) > 2: + raise ConfigError(f'Only two name-servers are supported for remote-access pool "{pool}"!') + + for ns in pool_config['name_server']: + v4_addr_and_ns = is_ipv4(ns) and not is_ipv4(pool_config['prefix']) + v6_addr_and_ns = is_ipv6(ns) and not is_ipv6(pool_config['prefix']) + if v4_addr_and_ns or v6_addr_and_ns: + raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and name-server adresses!') + + if 'exclude' in pool_config: + for exclude in pool_config['exclude']: + v4_addr_and_exclude = is_ipv4(exclude) and not is_ipv4(pool_config['prefix']) + v6_addr_and_exclude = is_ipv6(exclude) and not is_ipv6(pool_config['prefix']) + if v4_addr_and_exclude or v6_addr_and_exclude: + raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and exclude prefixes!') + + if 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']: + for server, server_config in ipsec['remote_access']['radius']['server'].items(): + if 'key' not in server_config: + raise ConfigError(f'Missing RADIUS secret key for server "{server}"') if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']: for peer, peer_conf in ipsec['site_to_site']['peer'].items(): @@ -372,7 +482,8 @@ def generate(ipsec): cleanup_pki_files() if not ipsec: - for config_file in [ipsec_conf, ipsec_secrets, charon_dhcp_conf, interface_conf, swanctl_conf]: + for config_file in [ipsec_conf, ipsec_secrets, charon_dhcp_conf, + charon_radius_conf, interface_conf, swanctl_conf]: if os.path.isfile(config_file): os.unlink(config_file) render(charon_conf, 'ipsec/charon.tmpl', {'install_routes': default_install_routes}) @@ -389,8 +500,13 @@ def generate(ipsec): if not os.path.exists(KEY_PATH): os.mkdir(KEY_PATH, mode=0o700) - if 'remote_access' in ipsec: - for rw, rw_conf in ipsec['remote_access'].items(): + if 'l2tp' in ipsec: + if 'authentication' in ipsec['l2tp'] and 'x509' in ipsec['l2tp']['authentication']: + generate_pki_files_x509(ipsec['pki'], ipsec['l2tp']['authentication']['x509']) + + if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: + for rw, rw_conf in ipsec['remote_access']['connection'].items(): + if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']: generate_pki_files_x509(ipsec['pki'], rw_conf['authentication']['x509']) @@ -436,17 +552,10 @@ def generate(ipsec): render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', ipsec) render(charon_conf, 'ipsec/charon.tmpl', ipsec) render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.tmpl', ipsec) + render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.tmpl', ipsec) render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', ipsec) render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', ipsec) -def resync_l2tp(ipsec): - if ipsec and not ipsec['l2tp_exists']: - return - - tmp = run('/usr/libexec/vyos/conf_mode/ipsec-settings.py') - if tmp > 0: - print('ERROR: failed to reapply L2TP IPSec settings!') - def resync_nhrp(ipsec): if ipsec and not ipsec['nhrp_exists']: return @@ -470,17 +579,13 @@ def apply(ipsec): if not ipsec: call('sudo ipsec stop') else: - args = '' - if 'auto_update' in ipsec: - args = '--auto-update ' + ipsec['auto_update'] - call(f'sudo ipsec restart {args}') + call('sudo ipsec restart') call('sudo ipsec rereadall') call('sudo ipsec reload') if wait_for_vici_socket(): call('sudo swanctl -q') - resync_l2tp(ipsec) resync_nhrp(ipsec) if __name__ == '__main__': |