| Age | Commit message (Collapse) | Author |
|
concurrent rekey
The vti-up-down hook and vpn_ipsec.py modify a flat-file DB
(/tmp/ipsec_vti_interfaces) through three context managers that do an
unlocked read-modify-write. During a coordinated rekey, strongSwan fires
the hook for many VTIs concurrently, so the writers lost-update each
other: an interface whose up-client add is overwritten is left admin-down
while its CHILD_SA stays installed.
Serialise all DB access by reusing vyos.utils.locking.Lock. A new
_vti_updown_db_lock() context manager wraps the three public context
managers, and remove_vti_updown_db() holds the lock across both the DB
processing and the os.unlink() to close the create/delete race.
Make the helpers absence-safe under the lock so callers no longer compose
a separate existence check with a locked operation:
open_vti_updown_db_readonly() yields None when the DB does not exist and
remove_vti_updown_db() is a no-op when it is absent. Drop the
now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and
vpn_ipsec.py and handle the None yield.
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|
|
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
transport mode tunnels
When ESP was configured in transport mode for GRE-based site-to-site tunnels,
the default value `dynamic` was automatically injected into the configuration,
even though prefixes must not be set in transport mode. This led to error
"Local/remote prefix cannot be used with ESP transport mode" and commit failures.
This fix updates configuration logic to skip default prefix assignment
for site-to-site peers using ESP transport mode tunnels.
|
|
In case when there is no local/remote prefix configured in a tunnel settings,
a protocol configured for such tunnel is ignored.
The correct way to generate the configuration is to set the prefix
to `dynamic` if it was not set. The correct config for the described case is:
```
local_ts = dynamic[gre/]
remote_ts = dynamic[gre/]
```
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`
This way, the passthrough option is used every time when networks overlap.
```
>>> from ipaddress import ip_network
>>>
>>> a = ip_network('192.0.2.0/24')
>>> b = ip_network('192.0.2.100/30')
>>>
>>> a.overlaps(b)
True
>>>
>>> b.overlaps(a)
True
>>>
```
But there should be `subnet_of`:
```
>>> a.subnet_of(b)
False
>>>
>>> b.subnet_of(a)
True
>>>
```
In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
RIGHT-tunnel-0-passthrough {
local_ts = 192.0.2.0/24
remote_ts = 192.0.2.0/24
start_action = trap
mode = pass
}
```
So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA
Use `subnet_of` to fix this
|
|
Fix the IPsec log level option processing
set vpn ipsec log level '2'
Render Jinja2 template to generate correct log for IPsec for
the file /etc/strongswan.d/charon-systemd.conf
|
|
|
|
NHRP migration to FRR
|
|
|
|
The function verify_interface_exists requires a reference to the ambient
config_dict rather than creating an instance. As access is required to
the 'interfaces' path, provide as attribute of class ConfigDict, so as
not to confuse path searches of script-specific config_dict instances.
|
|
|
|
|
|
|
|
|
|
|
|
found using "git ls-files *.py | xargs pylint | grep W0611"
|
|
* Use interface_exists() outside of verify()
* Use verify_interface_exists() in verify() to drop common error message
|
|
ipsec: T5606: T5871: Use multi node for CA certificates
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
|
|
|
|
|
|
If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.
Use config dependency instead of the old `resync_nhrp` function
fixes this issue
|
|
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface")
so that dynamic interfaces can be used by ipsec but a warning is issued that
this will only work after they are available on the system.
PPPoE interfaces are the best example for this, as they are down during system
bootup and will be available anytime after the boot once we've dialed into
the BRAS.
|
|
The correct CLI command is `interface` and not `interfaces`
```
set vpn ipsec interface xxx
```
|
|
|
|
VyOS has several services relaying on the PKI CLI tree to retrieve certificates.
Consuming services like ethernet, openvpn or ipsec all re-implemented the same
code to retrieve the certificates from the CLI.
This commit extends the signature of get_config_dict() with a new option with_pki
that defaults to false. If this option is set, the PKI CLI tree will be blended
into the resulting dictionary.
|
|
Also includes an update to smoketest to verify
|
|
|
|
|
|
Multiple scripts use the same hardcoded path for DHCP client leases in
different direcotries - this can't be worse.
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
|
|
|
|
Not supported with swanctl
|
|
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote
Set XML default value in use it in the python vpn_ipsec.py script
|
|
This reverts commit 6857447bf6acba3537d5e5372cd320aef078b81e.
|
|
|
|
Added warning message about disable-route-autoinstall
when ipsec vti is used.
|
|
This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
|
|
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|