Age | Commit message (Collapse) | Author |
|
|
|
close-action parameter is missing in the swanctl.conf file
|
|
It accepts network as the input value but the completion help is showing
ip address, continuation of previous commit
|
|
It accepts network as the input value but the completion help is showing
ip address
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
In latest releases, default IKE version is removed, which allows the
connection to be IKEv1 or IKEv2.
The completion help shows IKEv1 as default so removed it.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
|
|
Add priority for policy based IPSec VPN tunnels
If 2 tunnels have the same pair of local and remote traffic
selectors (prefixes) it allows to set more preforable install
policy from required peer
The lowest priority is more preforable
|
|
|
|
|
|
|
|
|
|
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given
pool. In order to use the same CLI syntax this should be renamed to name-server,
which is already the case for DHCPv6.
|
|
|
|
|
|
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a
"radius" option.
|
|
IKE dh-group defaults to 2 (modp1024).
|
|
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw unique 'never'
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24'
set vpn ipsec remote-access radius nas-identifier 'fooo'
set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
|
|
As this is only related to remote-access, keeping it under "options" simply
feels wrong.
|
|
Update/refresh of DNS records is now handled internally by Strongswan.
|
|
|
|
Connection uniqueness policy to enforce. To avoid multiple connections from the
same user, a uniqueness policy can be enforced.
* never: never enforce such a policy, even if a peer included INITIAL_CONTACT
notification
* keep: reject new connection attempts if the same user already has an active
connection
* replace: delete any existing connection if a new one for the same user gets
established
To compare connections for uniqueness, the remote IKE identity is used. If EAP
or XAuth authentication is involved, the EAP-Identity or XAuth username is used
to enforce the uniqueness policy instead.
|
|
Remote access IP pools can now be defined at a global level and referenced
in IPSec remote-access connections. To defined a pool use:
set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1'
set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24'
set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1'
set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64'
A connection can then reference the pool:
set vpn ipsec remote-access connection foo pool 'global-ipv4'
set vpn ipsec remote-access connection foo pool 'global-ipv6'
|
|
... this enables a dual-stack IKEv2 VPN deployment.
|
|
|
|
|
|
|
|
|
|
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
|
|
|
|
Used by both site2site and remote-access/road-warrior VPN connections.
|
|
|
|
|
|
|
|
|
|
|
|
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
|
|
|
|
|
|
Renamed CLI from "logging log-modes" to "log subsystem" and "logging log-level"
to "log level". THat is more human firendly.
|
|
VyOS has a known to work mechanism in supplying CLI default values into the
Python configuration scripts. This commit removes hardcoded default values from
the Jinja2 template and places them into the appropriate XML definitions.
The big advantage is that the default value itself and the corresponding help
string are located in the exact same file.
|
|
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
|
|
|
|
|