summaryrefslogtreecommitdiff
path: root/src/etc/ipsec.d
diff options
context:
space:
mode:
Diffstat (limited to 'src/etc/ipsec.d')
-rw-r--r--src/etc/ipsec.d/key-pair.template67
-rw-r--r--src/etc/ipsec.d/vti-up-down82
2 files changed, 149 insertions, 0 deletions
diff --git a/src/etc/ipsec.d/key-pair.template b/src/etc/ipsec.d/key-pair.template
new file mode 100644
index 000000000..56be97516
--- /dev/null
+++ b/src/etc/ipsec.d/key-pair.template
@@ -0,0 +1,67 @@
+[ req ]
+ default_bits = 2048
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ string_mask = utf8only
+ attributes = req_attributes
+ dirstring_type = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md = sha256
+# Extension to add when the -x509 option is used.
+ x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+ countryName_min = 2
+ countryName_max = 2
+ ST = State Name
+ localityName = Locality Name (eg, city)
+ organizationName = Organization Name (eg, company)
+ organizationalUnitName = Organizational Unit Name (eg, department)
+ commonName = Common Name (eg, Device hostname)
+ commonName_max = 64
+ emailAddress = Email Address
+ emailAddress_max = 40
+[ req_attributes ]
+ challengePassword = A challenge password (optional)
+ challengePassword_min = 4
+ challengePassword_max = 20
+[ v3_ca ]
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer:always
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
new file mode 100644
index 000000000..416966056
--- /dev/null
+++ b/src/etc/ipsec.d/vti-up-down
@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
+## Called as vti_up_down vti_intf_name
+
+import os
+import sys
+
+from vyos.config import Config
+from vyos.util import call, get_interface_config, get_interface_address
+
+def get_config(config, base):
+ if not config.exists(base):
+ return None
+
+ return conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True)
+
+def get_dhcp_address(interface):
+ addr = get_interface_address(interface)
+ if not addr:
+ return None
+ if len(addr['addr_info']) == 0:
+ return None
+ return addr['addr_info'][0]['local']
+
+if __name__ == '__main__':
+ verb = os.getenv('PLUTO_VERB')
+ connection = os.getenv('PLUTO_CONNECTION')
+ parent_conn = connection[:-3]
+ interface = sys.argv[1]
+
+ print(f'vti-up-down: start: {verb} {connection} {interface}')
+
+ if verb in ['up-client', 'up-host']:
+ call('sudo /usr/sbin/ip route delete default table 220')
+
+ vti_base = ['interfaces', 'vti', interface]
+ ipsec_base = ['vpn', 'ipsec', 'site-to-site']
+
+ conf = Config()
+ vti_conf = get_config(conf, vti_base)
+ ipsec_conf = get_config(conf, ipsec_base)
+
+ if not vti_conf or 'disable' in vti_conf or not ipsec_conf or 'peer' not in ipsec_conf:
+ print('vti-up-down: exit: vti not found, disabled or no peers found')
+ sys.exit(0)
+
+ peer_conf = None
+
+ for peer, peer_tmp_conf in ipsec_conf['peer'].items():
+ if 'vti' in peer_tmp_conf and 'bind' in peer_tmp_conf['vti']:
+ bind = peer_tmp_conf['vti']['bind']
+ if isinstance(bind, str):
+ bind = [bind]
+ if interface in bind:
+ peer_conf = peer_tmp_conf
+ break
+
+ if not peer_conf:
+ print(f'vti-up-down: exit: No peer found for {interface}')
+ sys.exit(0)
+
+ vti_link = get_interface_config(interface)
+ vti_link_up = vti_link['operstate'] == 'UP' if vti_link else False
+
+ child_sa_installed = False
+ try:
+ child_sa_installed = (call(f'sudo /usr/sbin/swanctl -l -r -i {connection} {parent_conn} | grep -s -q state=INSTALLED', timeout = 5) == 0)
+ except:
+ print('vti-up-down: child-sa check failed')
+
+ if verb in ['up-client', 'up-host']:
+ if not vti_link_up:
+ if 'dhcp_interface' in peer_conf:
+ local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+ call(f'sudo /usr/sbin/ip tunnel change {interface} local {local_ip}')
+ if child_sa_installed:
+ call(f'sudo /usr/sbin/ip link set {interface} up')
+ elif verb in ['down-client', 'down-host']:
+ if vti_link_up and not child_sa_installed:
+ call(f'sudo /usr/sbin/ip link set {interface} down')
+
+ print('vti-up-down: finish')