summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
AgeCommit message (Collapse)Author
2024-07-22T6599: ipsec: support disabling rekey of CHILD_SA.Lucas Christian
Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections. (cherry picked from commit fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf)
2024-04-22T6237: IPSec remote access VPN: ability to set EAP ID of clientsAlex W
(cherry picked from commit 78ea623df20b44309cc6ac9848ed18e97fc4ed03)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group. (cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap' (cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
2024-01-01T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
2022-06-29xml: streamline interface definition filenames, drop _Christian Poessinger
Some files that described the CLI used underscores to split CLI levels, some others did not. This commit removes all underscores from the filename and only makes use of a hyphen.
2022-06-14Improve IPsec help stringsDaniil Baturin
2022-06-10xml: drop not always applicable REQUIRED suffix from completion help stringChristian Poessinger
If a parameter is required is determined from the Python string on commit. This "indicator" is not used consistently and sometimes missing, or added where it is not required anymore due to Python script improvement/rewrite.
2022-04-29xml: T4047: use full string match in the regex validatorChristian Poessinger
2022-03-24ike-group: T4288 : close-action is missing in swanctl.confsrividya0208
close-action parameter is missing in the swanctl.conf file
2022-03-07ipsec prefix: T4275: Fix for prefix val_help of remote-access and s2s vpnsrividya0208
It accepts network as the input value but the completion help is showing ip address, continuation of previous commit
2022-02-28ipsec prefix: T4275: Incorrect val_help for local/remote prefixsrividya0208
It accepts network as the input value but the completion help is showing ip address
2022-02-25vpn: ipsec: T3093: add missing defaultValue entriesChristian Poessinger
2022-02-24scripts: T4269: node.def generator should automatically add default valuesChristian Poessinger
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help.
2022-02-22Merge pull request #1230 from sever-sever/T1856Christian Poessinger
ipsec: T1856: Ability to set SA life bytes and packets
2022-02-21Merge pull request #1231 from sever-sever/T3948Christian Poessinger
ipsec: T3948: Add CLI site-to-site peer connection-type none
2022-02-21vpn_ipsec: T3656: modified completion help for key-exchangesrividya0208
In latest releases, default IKE version is removed, which allows the connection to be IKEv1 or IKEv2. The completion help shows IKEv1 as default so removed it.
2022-02-20ipsec: T3948: Add CLI site-to-site peer connection-type noneViacheslav Hletenko
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
2022-02-20ipsec: T1856: Ability to set SA life bytes and packetsViacheslav Hletenko
set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000'
2022-02-19vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on optionsViacheslav Hletenko
Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
2022-01-11ike-group: T4162: Correct helper description for ikev2-reauthNicolas Fort
2021-12-31ipsec: T4126: Ability to set priorities for installed policyViacheslav
Add priority for policy based IPSec VPN tunnels If 2 tunnels have the same pair of local and remote traffic selectors (prefixes) it allows to set more preforable install policy from required peer The lowest priority is more preforable
2021-12-29Improve IPsec help stringsDaniil Baturin
2021-11-12ipsec: T3986: Fix typos in descriptionsViacheslav
2021-11-11ipsec: T3093: fix log-level completion help stringChristian Poessinger
2021-11-07xml: provide and use common interface-name building blocksChristian Poessinger
2021-09-18dhcp-server: T3838: rename dns-server to name-server nodeChristian Poessinger
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given pool. In order to use the same CLI syntax this should be renamed to name-server, which is already the case for DHCPv6.
2021-09-14ipsec: T3828: Update interface definitions for new behavioursarthurdev
2021-08-27ipsec: T1210: Jinj2 template did not honor inactivity/timeout settingChristian Poessinger
2021-08-26ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-AddressChristian Poessinger
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a "radius" option.
2021-08-04ipsec: T3718: fix default processing of ike dh-group proposalsChristian Poessinger
IKE dh-group defaults to 2 (modp1024).
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-22xml: add building block for "local-users"Christian Poessinger
2021-07-19ipsec: T1210: add "unique" option to specify how to handle multiple connectionsChristian Poessinger
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. * never: never enforce such a policy, even if a peer included INITIAL_CONTACT notification * keep: reject new connection attempts if the same user already has an active connection * replace: delete any existing connection if a new one for the same user gets established To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
2021-07-19ipsec: T1210: split out pool from remote-access configurationChristian Poessinger
Remote access IP pools can now be defined at a global level and referenced in IPSec remote-access connections. To defined a pool use: set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1' set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24' set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1' set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64' A connection can then reference the pool: set vpn ipsec remote-access connection foo pool 'global-ipv4' set vpn ipsec remote-access connection foo pool 'global-ipv6'
2021-07-18ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixesChristian Poessinger
... this enables a dual-stack IKEv2 VPN deployment.
2021-07-17ipsec: T2816: migrate "ipsec interfaces" to "interface"Christian Poessinger
2021-07-17xml: provide common "pre-shared-secret" include blockChristian Poessinger
2021-07-17xml: provide common "dhcp-interface" include blockChristian Poessinger
2021-07-07pki: T3642: Migrate rsa-keys to PKI configurationsarthurdev
2021-07-05ipsec: T1210: T1251: Add more features to remote-access connectionssarthurdev
- Adds client/server authentication methods. - Adds basic verification to remote-access. - Adds DHCP pool and options to remote-access. - Cleanup unused PKI files.
2021-07-04ipsec: T2816: add completion helper for tunnel interfacesChristian Poessinger
2021-07-04ipsec: T1210: T1251: add "local" traffic-selector include definitionChristian Poessinger
Used by both site2site and remote-access/road-warrior VPN connections.
2021-07-04ipsec: T1210: T1251: add remote-access "name-server" definition to pool configChristian Poessinger
2021-07-04ipsec: T2816: add completion helper for VTI interfacesChristian Poessinger
2021-07-04ipsec: T2816: add include definition for ipsec local-addressChristian Poessinger