diff options
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 201 | ||||
-rwxr-xr-x | src/migration-scripts/ipsec/5-to-6 | 14 | ||||
-rw-r--r-- | src/tests/test_template.py | 60 |
3 files changed, 143 insertions, 132 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index ce72ee094..ff26f875a 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -23,6 +23,7 @@ from time import sleep from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists +from vyos.configdict import dict_merge from vyos.ifconfig import Interface from vyos.pki import wrap_certificate from vyos.pki import wrap_crl @@ -35,50 +36,11 @@ from vyos.util import call from vyos.util import dict_search from vyos.util import process_named_running from vyos.util import run +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() -authby_translate = { - 'pre-shared-secret': 'psk', - 'rsa': 'pubkey', - 'x509': 'pubkey' -} - -default_pfs = 'dh-group2' -pfs_translate = { - 'dh-group1' : 'modp768', - 'dh-group2' : 'modp1024', - 'dh-group5' : 'modp1536', - 'dh-group14' : 'modp2048', - 'dh-group15' : 'modp3072', - 'dh-group16' : 'modp4096', - 'dh-group17' : 'modp6144', - 'dh-group18' : 'modp8192', - 'dh-group19' : 'ecp256', - 'dh-group20' : 'ecp384', - 'dh-group21' : 'ecp512', - 'dh-group22' : 'modp1024s160', - 'dh-group23' : 'modp2048s224', - 'dh-group24' : 'modp2048s256', - 'dh-group25' : 'ecp192', - 'dh-group26' : 'ecp224', - 'dh-group27' : 'ecp224bp', - 'dh-group28' : 'ecp256bp', - 'dh-group29' : 'ecp384bp', - 'dh-group30' : 'ecp512bp', - 'dh-group31' : 'curve25519', - 'dh-group32' : 'curve448' -} - -any_log_modes = [ - 'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', - 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts' -] - -ike_ciphers = {} -esp_ciphers = {} - dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 @@ -112,53 +74,40 @@ def get_config(config=None): ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - ipsec['dhcp_no_address'] = {} - ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface']) - ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings']) - ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) - ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - default_ike_pfs = None - - if 'ike_group' in ipsec: - for group, ike_conf in ipsec['ike_group'].items(): - if 'proposal' in ike_conf: - ciphers = [] - for i in ike_conf['proposal']: - proposal = ike_conf['proposal'][i] - enc = proposal['encryption'] if 'encryption' in proposal else None - hash = proposal['hash'] if 'hash' in proposal else None - pfs = ('dh-group' + proposal['dh_group']) if 'dh_group' in proposal else default_pfs - - if not default_ike_pfs: - default_ike_pfs = pfs - - if enc and hash: - ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}") - ike_ciphers[group] = ','.join(ciphers) + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + # XXX: T2665: we must safely remove default values for tag nodes, those are + # added in a more fine grained way later on + del default_values['esp_group'] + del default_values['ike_group'] + ipsec = dict_merge(default_values, ipsec) if 'esp_group' in ipsec: - for group, esp_conf in ipsec['esp_group'].items(): - pfs = esp_conf['pfs'] if 'pfs' in esp_conf else 'enable' + default_values = defaults(base + ['esp-group']) + for group in ipsec['esp_group']: + ipsec['esp_group'][group] = dict_merge(default_values, + ipsec['esp_group'][group]) - if pfs == 'disable': - pfs = None - - if pfs == 'enable': - pfs = default_ike_pfs + if 'ike_group' in ipsec: + default_values = defaults(base + ['ike-group']) + for group in ipsec['ike_group']: + ipsec['ike_group'][group] = dict_merge(default_values, + ipsec['ike_group'][group]) - if 'proposal' in esp_conf: - ciphers = [] - for i in esp_conf['proposal']: - proposal = esp_conf['proposal'][i] - enc = proposal['encryption'] if 'encryption' in proposal else None - hash = proposal['hash'] if 'hash' in proposal else None - if enc and hash: - ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}") - esp_ciphers[group] = ','.join(ciphers) + ipsec['dhcp_no_address'] = {} + ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', + 'interface']) + ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', + 'ipsec-settings']) + ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) + ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) return ipsec @@ -361,67 +310,55 @@ def generate(ipsec): os.unlink(config_file) return - data = {} - if ipsec: - if ipsec['dhcp_no_address']: - with open(DHCP_HOOK_IFLIST, 'w') as f: - f.write(" ".join(ipsec['dhcp_no_address'].values())) + if ipsec['dhcp_no_address']: + with open(DHCP_HOOK_IFLIST, 'w') as f: + f.write(" ".join(ipsec['dhcp_no_address'].values())) - data = ipsec - data['authby'] = authby_translate - data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers} - data['rsa_local_key'] = verify_rsa_local_key(ipsec) + data = ipsec + data['rsa_local_key'] = verify_rsa_local_key(ipsec) - for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]: - if not os.path.exists(path): - os.mkdir(path, mode=0o755) + for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]: + if not os.path.exists(path): + os.mkdir(path, mode=0o755) - if not os.path.exists(KEY_PATH): - os.mkdir(KEY_PATH, mode=0o700) + if not os.path.exists(KEY_PATH): + os.mkdir(KEY_PATH, mode=0o700) - if 'site_to_site' in data and 'peer' in data['site_to_site']: - for peer, peer_conf in ipsec['site_to_site']['peer'].items(): - if peer in ipsec['dhcp_no_address']: - continue + if 'site_to_site' in data and 'peer' in data['site_to_site']: + for peer, peer_conf in ipsec['site_to_site']['peer'].items(): + if peer in ipsec['dhcp_no_address']: + continue - if peer_conf['authentication']['mode'] == 'x509': - generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509']) + if peer_conf['authentication']['mode'] == 'x509': + generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509']) - local_ip = '' - if 'local_address' in peer_conf: - local_ip = peer_conf['local_address'] - elif 'dhcp_interface' in peer_conf: - local_ip = get_dhcp_address(peer_conf['dhcp_interface']) + local_ip = '' + if 'local_address' in peer_conf: + local_ip = peer_conf['local_address'] + elif 'dhcp_interface' in peer_conf: + local_ip = get_dhcp_address(peer_conf['dhcp_interface']) - data['site_to_site']['peer'][peer]['local_address'] = local_ip + data['site_to_site']['peer'][peer]['local_address'] = local_ip - if 'tunnel' in peer_conf: - for tunnel, tunnel_conf in peer_conf['tunnel'].items(): - local_prefixes = dict_search('local.prefix', tunnel_conf) - remote_prefixes = dict_search('remote.prefix', tunnel_conf) + if 'tunnel' in peer_conf: + for tunnel, tunnel_conf in peer_conf['tunnel'].items(): + local_prefixes = dict_search('local.prefix', tunnel_conf) + remote_prefixes = dict_search('remote.prefix', tunnel_conf) - if not local_prefixes or not remote_prefixes: - continue + if not local_prefixes or not remote_prefixes: + continue - passthrough = [] + passthrough = [] - for local_prefix in local_prefixes: - for remote_prefix in remote_prefixes: - local_net = ipaddress.ip_network(local_prefix) - remote_net = ipaddress.ip_network(remote_prefix) - if local_net.overlaps(remote_net): - passthrough.append(local_prefix) + for local_prefix in local_prefixes: + for remote_prefix in remote_prefixes: + local_net = ipaddress.ip_network(local_prefix) + remote_net = ipaddress.ip_network(remote_prefix) + if local_net.overlaps(remote_net): + passthrough.append(local_prefix) - data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough + data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough - if 'logging' in ipsec and 'log_modes' in ipsec['logging']: - modes = ipsec['logging']['log_modes'] - level = ipsec['logging']['log_level'] if 'log_level' in ipsec['logging'] else '1' - if isinstance(modes, str): - modes = [modes] - if 'any' in modes: - modes = any_log_modes - data['charondebug'] = f' {level}, '.join(modes) + ' ' + level render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data) render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data) @@ -448,7 +385,7 @@ def apply(ipsec): if not ipsec: call('sudo /usr/sbin/ipsec stop') else: - should_start = ('profile' in ipsec or dict_search('site_to_site.peer', ipsec)) + should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec) if not process_named_running('charon') and should_start: args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else '' diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6 index 86be55d13..ba5ce0fca 100755 --- a/src/migration-scripts/ipsec/5-to-6 +++ b/src/migration-scripts/ipsec/5-to-6 @@ -60,6 +60,20 @@ if config.exists(base + ['site-to-site', 'peer']): if config.exists(public_networks): config.delete(public_networks) +# Rename "logging log-level" and "logging log-modes" to something more human friendly +log = base + ['logging'] +if config.exists(log): + config.rename(log, 'log') + log = base + ['log'] + +log_level = log + ['log-level'] +if config.exists(log_level): + config.rename(log_level, 'level') + +log_mode = log + ['log-modes'] +if config.exists(log_mode): + config.rename(log_mode, 'subsystem') + try: with open(file_name, 'w') as f: f.write(config.to_string()) diff --git a/src/tests/test_template.py b/src/tests/test_template.py index 67c0fe84a..2d065f545 100644 --- a/src/tests/test_template.py +++ b/src/tests/test_template.py @@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase): self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48')) self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64')) self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64')) + + def test_cipher_to_string(self): + ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256' + IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024' + + data = { + 'esp_group': { + 'ESP_DEFAULT': { + 'compression': 'disable', + 'lifetime': '3600', + 'mode': 'tunnel', + 'pfs': 'dh-group19', + 'proposal': { + '10': { + 'encryption': 'aes256gcm128', + 'hash': 'sha256', + }, + '20': { + 'encryption': 'aes128ccm64', + 'hash': 'sha256', + } + } + } + }, + 'ike_group': { + 'IKEv2_DEFAULT': { + 'close_action': 'none', + 'dead_peer_detection': { + 'action': 'hold', + 'interval': '30', + 'timeout': '120' + }, + 'ikev2_reauth': 'no', + 'key_exchange': 'ikev2', + 'lifetime': '10800', + 'mobike': 'disable', + 'proposal': { + '10': { + 'dh_group': '19', + 'encryption': 'aes256gcm128', + 'hash': 'sha256' + }, + '20': { + 'dh_group': '2', + 'encryption': 'aes128ccm128', + 'hash': 'md5_128' + }, + } + } + }, + } + + for group_name, group_config in data['esp_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(ESP_DEFAULT, ','.join(ciphers)) + + for group_name, group_config in data['ike_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(IKEv2_DEFAULT, ','.join(ciphers)) + |