summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
AgeCommit message (Collapse)Author
2022-02-25vpn: ipsec: T3093: add missing defaultValue entriesChristian Poessinger
2022-02-24scripts: T4269: node.def generator should automatically add default valuesChristian Poessinger
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help.
2022-02-22Merge pull request #1230 from sever-sever/T1856Christian Poessinger
ipsec: T1856: Ability to set SA life bytes and packets
2022-02-21Merge pull request #1231 from sever-sever/T3948Christian Poessinger
ipsec: T3948: Add CLI site-to-site peer connection-type none
2022-02-21vpn_ipsec: T3656: modified completion help for key-exchangesrividya0208
In latest releases, default IKE version is removed, which allows the connection to be IKEv1 or IKEv2. The completion help shows IKEv1 as default so removed it.
2022-02-20ipsec: T3948: Add CLI site-to-site peer connection-type noneViacheslav Hletenko
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
2022-02-20ipsec: T1856: Ability to set SA life bytes and packetsViacheslav Hletenko
set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000'
2022-02-19vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on optionsViacheslav Hletenko
Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
2022-01-11ike-group: T4162: Correct helper description for ikev2-reauthNicolas Fort
2021-12-31ipsec: T4126: Ability to set priorities for installed policyViacheslav
Add priority for policy based IPSec VPN tunnels If 2 tunnels have the same pair of local and remote traffic selectors (prefixes) it allows to set more preforable install policy from required peer The lowest priority is more preforable
2021-12-29Improve IPsec help stringsDaniil Baturin
2021-11-12ipsec: T3986: Fix typos in descriptionsViacheslav
2021-11-11ipsec: T3093: fix log-level completion help stringChristian Poessinger
2021-11-07xml: provide and use common interface-name building blocksChristian Poessinger
2021-09-18dhcp-server: T3838: rename dns-server to name-server nodeChristian Poessinger
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given pool. In order to use the same CLI syntax this should be renamed to name-server, which is already the case for DHCPv6.
2021-09-14ipsec: T3828: Update interface definitions for new behavioursarthurdev
2021-08-27ipsec: T1210: Jinj2 template did not honor inactivity/timeout settingChristian Poessinger
2021-08-26ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-AddressChristian Poessinger
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a "radius" option.
2021-08-04ipsec: T3718: fix default processing of ike dh-group proposalsChristian Poessinger
IKE dh-group defaults to 2 (modp1024).
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-22xml: add building block for "local-users"Christian Poessinger
2021-07-19ipsec: T1210: add "unique" option to specify how to handle multiple connectionsChristian Poessinger
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. * never: never enforce such a policy, even if a peer included INITIAL_CONTACT notification * keep: reject new connection attempts if the same user already has an active connection * replace: delete any existing connection if a new one for the same user gets established To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
2021-07-19ipsec: T1210: split out pool from remote-access configurationChristian Poessinger
Remote access IP pools can now be defined at a global level and referenced in IPSec remote-access connections. To defined a pool use: set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1' set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24' set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1' set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64' A connection can then reference the pool: set vpn ipsec remote-access connection foo pool 'global-ipv4' set vpn ipsec remote-access connection foo pool 'global-ipv6'
2021-07-18ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixesChristian Poessinger
... this enables a dual-stack IKEv2 VPN deployment.
2021-07-17ipsec: T2816: migrate "ipsec interfaces" to "interface"Christian Poessinger
2021-07-17xml: provide common "pre-shared-secret" include blockChristian Poessinger
2021-07-17xml: provide common "dhcp-interface" include blockChristian Poessinger
2021-07-07pki: T3642: Migrate rsa-keys to PKI configurationsarthurdev
2021-07-05ipsec: T1210: T1251: Add more features to remote-access connectionssarthurdev
- Adds client/server authentication methods. - Adds basic verification to remote-access. - Adds DHCP pool and options to remote-access. - Cleanup unused PKI files.
2021-07-04ipsec: T2816: add completion helper for tunnel interfacesChristian Poessinger
2021-07-04ipsec: T1210: T1251: add "local" traffic-selector include definitionChristian Poessinger
Used by both site2site and remote-access/road-warrior VPN connections.
2021-07-04ipsec: T1210: T1251: add remote-access "name-server" definition to pool configChristian Poessinger
2021-07-04ipsec: T2816: add completion helper for VTI interfacesChristian Poessinger
2021-07-04ipsec: T2816: add include definition for ipsec local-addressChristian Poessinger
2021-07-04ipsec: T2816: use common building block/include for port definitionChristian Poessinger
2021-07-04ipsec: T1210: T1251: extend ra config with address pools/traffic selectorssarthurdev
2021-07-04ipsec: T1210: T1251: IKEv2 road-warrior supportChristian Poessinger
set vpn ipsec esp-group ESP-RW compression 'disable' set vpn ipsec esp-group ESP-RW lifetime '3600' set vpn ipsec esp-group ESP-RW pfs 'disable' set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1' set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' set vpn ipsec ike-group IKE-RW lifetime '10800' set vpn ipsec ike-group IKE-RW mobike 'enable' set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1' set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128' set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'dum0' set vpn ipsec remote-access rw authentication id 'vyos' set vpn ipsec remote-access rw authentication local-users username vyos password vyos set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw description 'asdf' set vpn ipsec remote-access rw esp-group 'ESP-RW' set vpn ipsec remote-access rw ike-group 'IKE-RW'
2021-07-03ipsec: T2816: provide x509 certificate base auth building blocksChristian Poessinger
2021-07-03ipsec: T2816: provide esp and ike-group XML building blockChristian Poessinger
2021-07-03ipsec: T2816: rework log options for debuggingChristian Poessinger
Renamed CLI from "logging log-modes" to "log subsystem" and "logging log-level" to "log level". THat is more human firendly.
2021-07-03ipsec: T2816: remove default values from Jinja2 template and place them in XMLChristian Poessinger
VyOS has a known to work mechanism in supplying CLI default values into the Python configuration scripts. This commit removes hardcoded default values from the Jinja2 template and places them into the appropriate XML definitions. The big advantage is that the default value itself and the corresponding help string are located in the exact same file.
2021-07-03ipsec: T2816: rework IKE and ESP key assignmentChristian Poessinger
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
2021-07-02xml: provide building block for a generic description nodeChristian Poessinger
2021-06-29pki: ipsec: T3642: Migrate IPSec to use PKI configurationsarthurdev
2021-06-15ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple ↵sarthurdev
selectors, and selectors with VTI.
2021-06-12ipsec: T57: Support disable on peer, tunnel, dmvpn profilesarthurdev
2021-06-06ipsec: T3588: remove CLI options deprecated by strongSwanChristian Poessinger
- set vpn ipsec nat-traversal - set vpn ipsec nat-networks allowed-network
2021-06-05ipsec: T3093: drop superfluous top level priorityChristian Poessinger