| Age | Commit message (Collapse) | Author |
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
Fix typos and mistakes
No functional changes
|
|
|
|
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
|
|
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
|
|
upgrade to 1.4.x
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:
```
set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all'
```
In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.
This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
|
|
Added IKEv2 retransmission options (base, tries, timeout).
|
|
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes
```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
|
|
Fix the IPsec log level option processing
set vpn ipsec log level '2'
Render Jinja2 template to generate correct log for IPsec for
the file /etc/strongswan.d/charon-systemd.conf
|
|
Commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators")
added a bug when working with DiffieHellmanGroup, it started becoming a boolead
and no longer referencing the DH groups itself.
This has been fixed.
|
|
If this is unset, loading the iOS VPN profile will error out on the device
giving:
Profile Installation Failed
configuration is invalid:
Missing identity
My first assumption was an empty string in LocalIdentifier for IKE, but turned
out only adding this flag solved it.
This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec
remote-access: fix profile generators") but got reverted now.
|
|
Calling "generate ipsec profile ios-remote-access rw remote ipsec.vyos.net name
VYOS-NET profile VYOS" in op-mode causes
File "/usr/share/vyos/templates/ipsec/ios_profile.j2", line 58, in top-level template code
{% if authentication.client_mode.startswith("eap") %}
^^^^^^^^^^^^^^^^^^^^^^^^^
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'client_mode'
|
|
NHRP migration to FRR
|
|
Add the ability to configure base64 encoded passwords for
VPN IPSec site-to-site peers
authentication psk PSK secret 'xxxxx=='
authentication psk PSK secret-type <base64|plaintext>
|
|
T5873: ipsec remote access VPN: support VTI interfaces.
|
|
|
|
|
|
|
|
Also adds support for life_bytes, life_packets, and DPD for
remote-access connections. Changes behavior of remote-access esp-group
lifetime setting to have parity with site-to-site connections.
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
|
|
|
|
|
|
|
|
|
|
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
|
|
Renamed DPD action value from 'hold' to 'trap'
|
|
|
|
Not supported with swanctl
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote
Set XML default value in use it in the python vpn_ipsec.py script
|
|
Remote TS for transport mode GRE must be remote-address and
not peer name
|
|
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
|
|
Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer")
changed the CLI syntax of ipsec. This resulted in a node not renamed in the
op-mode generator when generating IKEv2 IPSec iOS configuration profiles.
|
|
The "authentication id" option for road-warriors did not get migrated to
the new local-id CLI node. This has been fixed.
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
Fix template for configuration DMVPN IKE profile
dead-peer-detection delay and dead-peer-detecion timeout options
|
|
|
|
|
|
|
|
Set default passtrough list to None to prevent unexpected policy
for peers with not overplapped local and remote prefixes
|
|
|
|
close-action parameter is missing in the swanctl.conf file
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|