2 files changed, 149 insertions, 0 deletions
diff --git a/src/etc/ipsec.d/key-pair.template b/src/etc/ipsec.d/key-pair.template
new file mode 100644
index 000000000..56be97516
--- /dev/null
+++ b/src/etc/ipsec.d/key-pair.template
@@ -0,0 +1,67 @@
+[ req ]
+ default_bits           = 2048
+ default_keyfile        = privkey.pem
+ distinguished_name     = req_distinguished_name
+ string_mask            = utf8only
+ attributes             = req_attributes
+ dirstring_type         = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md             = sha256
+# Extension to add when the -x509 option is used.
+ x509_extensions        = v3_ca
+
+[ req_distinguished_name ]
+ countryName                    = Country Name (2 letter code)
+ countryName_min                = 2
+ countryName_max                = 2
+ ST             = State Name 
+ localityName                   = Locality Name (eg, city)
+ organizationName               = Organization Name (eg, company)
+ organizationalUnitName         = Organizational Unit Name (eg, department)
+ commonName                     = Common Name (eg, Device hostname)
+ commonName_max                 = 64
+ emailAddress                   = Email Address
+ emailAddress_max               = 40
+[ req_attributes ]
+ challengePassword              = A challenge password (optional)
+ challengePassword_min          = 4
+ challengePassword_max          = 20
+[ v3_ca ]
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer:always
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
new file mode 100644
index 000000000..416966056
--- /dev/null
+++ b/src/etc/ipsec.d/vti-up-down
@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
+## Called as vti_up_down vti_intf_name
+
+import os
+import sys
+
+from vyos.config import Config
+from vyos.util import call, get_interface_config, get_interface_address
+
+def get_config(config, base):
+    if not config.exists(base):
+        return None
+
+    return conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True)
+
+def get_dhcp_address(interface):
+    addr = get_interface_address(interface)
+    if not addr:
+        return None
+    if len(addr['addr_info']) == 0:
+        return None
+    return addr['addr_info'][0]['local']
+
+if __name__ == '__main__':
+    verb = os.getenv('PLUTO_VERB')
+    connection = os.getenv('PLUTO_CONNECTION')
+    parent_conn = connection[:-3]
+    interface = sys.argv[1]
+
+    print(f'vti-up-down: start: {verb} {connection} {interface}')
+
+    if verb in ['up-client', 'up-host']:
+        call('sudo /usr/sbin/ip route delete default table 220')
+
+    vti_base = ['interfaces', 'vti', interface]
+    ipsec_base = ['vpn', 'ipsec', 'site-to-site']
+
+    conf = Config()
+    vti_conf = get_config(conf, vti_base)
+    ipsec_conf = get_config(conf, ipsec_base)
+
+    if not vti_conf or 'disable' in vti_conf or not ipsec_conf or 'peer' not in ipsec_conf:
+        print('vti-up-down: exit: vti not found, disabled or no peers found')
+        sys.exit(0)
+
+    peer_conf = None
+
+    for peer, peer_tmp_conf in ipsec_conf['peer'].items():
+        if 'vti' in peer_tmp_conf and 'bind' in peer_tmp_conf['vti']:
+            bind = peer_tmp_conf['vti']['bind']
+            if isinstance(bind, str):
+                bind = [bind]
+            if interface in bind:
+                peer_conf = peer_tmp_conf
+                break
+
+    if not peer_conf:
+        print(f'vti-up-down: exit: No peer found for {interface}')
+        sys.exit(0)
+
+    vti_link = get_interface_config(interface)
+    vti_link_up = vti_link['operstate'] == 'UP' if vti_link else False
+
+    child_sa_installed = False
+    try:
+        child_sa_installed = (call(f'sudo /usr/sbin/swanctl -l -r -i {connection} {parent_conn} | grep -s -q state=INSTALLED', timeout = 5) == 0)
+    except:
+        print('vti-up-down: child-sa check failed')
+
+    if verb in ['up-client', 'up-host']:
+        if not vti_link_up:
+            if 'dhcp_interface' in peer_conf:
+                local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+                call(f'sudo /usr/sbin/ip tunnel change {interface} local {local_ip}')
+            if child_sa_installed:
+                call(f'sudo /usr/sbin/ip link set {interface} up')
+    elif verb in ['down-client', 'down-host']:
+        if vti_link_up and not child_sa_installed:
+            call(f'sudo /usr/sbin/ip link set {interface} down')
+
+    print('vti-up-down: finish')