| Age | Commit message (Collapse) | Author |
|
T8097: strongswan: add CLI for ESN
|
|
Add options for mlkem*
|
|
Add CLI commands:
set vpn ipsec ike-group MyIKEGroup proposal 1 esn ESN-VALUE
set vpn ipsec esp-group MyESPGroup proposal 1 esn ESN-VALUE
Where ESN-VALUE can be one of:
* required: only establish connection using ESN
* optional: try using ESN, but if not available, accept non-ESN
* disabled (default): don't use ESN
StrongSwan 6.0.6 doesn't allow connections between proposal with
'-noesn' and without '-esn'/'-noesn'. To make it work as expected, use
two proposals for 'optional' and 'disabled':
* required: PROPOSAL-esn
* optional: PROPOSAL-esn-noesn,PROPOSAL
* disabled: PROPOSAL-noesn,PROPOSAL
|
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
The following nodes specified u32 but their range values exceed the
uint32 maximum (4,294,967,295):
- service lldp interface location coordinate-based elin:
u32:0-9999999999 -> u64:0-9999999999
- vpn ipsec esp-group life-bytes:
u32:1024-26843545600000 -> u64:1024-26843545600000
- vpn ipsec esp-group life-packets:
u32:1000-26843545600000 -> u64:1000-26843545600000
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
|
|
In case when there is no local/remote prefix configured in a tunnel settings,
a protocol configured for such tunnel is ignored.
The correct way to generate the configuration is to set the prefix
to `dynamic` if it was not set. The correct config for the described case is:
```
local_ts = dynamic[gre/]
remote_ts = dynamic[gre/]
```
|
|
Added IKEv2 retransmission options (base, tries, timeout).
|
|
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes
```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
|
|
- Allow configure preshared key for zabbix-agent
- Added op mode command for generatre random psk secret
- Removed duplicate xml definition for psk settings
Configure authentication mode:
```
# set service monitoring zabbix-agent authentication mode
Possible completions:
pre-shared-secret Use a pre-shared secret key
```
Configure PSK Settings:
```
# set service monitoring zabbix-agent authentication psk
Possible completions:
id ID for authentication
secret pre-shared secret key
```
Generate Random PSK:
```
$ generate psk random
Possible completions:
<Enter> Execute the current command
size Key size in bytes
```
|
|
Add the ability to configure base64 encoded passwords for
VPN IPSec site-to-site peers
authentication psk PSK secret 'xxxxx=='
authentication psk PSK secret-type <base64|plaintext>
|
|
|
|
Also adds support for life_bytes, life_packets, and DPD for
remote-access connections. Changes behavior of remote-access esp-group
lifetime setting to have parity with site-to-site connections.
|
|
|
|
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
|
|
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
|
|
Renamed DPD action value from 'hold' to 'trap'
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
Some files that described the CLI used underscores to split CLI levels, some
others did not. This commit removes all underscores from the filename and only
makes use of a hyphen.
|
|
|
|
If a parameter is required is determined from the Python string on commit.
This "indicator" is not used consistently and sometimes missing, or added where
it is not required anymore due to Python script improvement/rewrite.
|
|
|
|
close-action parameter is missing in the swanctl.conf file
|
|
It accepts network as the input value but the completion help is showing
ip address, continuation of previous commit
|
|
It accepts network as the input value but the completion help is showing
ip address
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
In latest releases, default IKE version is removed, which allows the
connection to be IKEv1 or IKEv2.
The completion help shows IKEv1 as default so removed it.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
|
|
Add priority for policy based IPSec VPN tunnels
If 2 tunnels have the same pair of local and remote traffic
selectors (prefixes) it allows to set more preforable install
policy from required peer
The lowest priority is more preforable
|
|
|
|
|
|
|
|
|
|
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given
pool. In order to use the same CLI syntax this should be renamed to name-server,
which is already the case for DHCPv6.
|
|
|
|
|
|
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a
"radius" option.
|
|
IKE dh-group defaults to 2 (modp1024).
|
|
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw unique 'never'
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24'
set vpn ipsec remote-access radius nas-identifier 'fooo'
set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
|