summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_ipsec.py
AgeCommit message (Collapse)Author
2026-06-23ipsec: T8975: lock vti-up-down state DB to prevent lost updates under ↵Robert Navarro
concurrent rekey The vti-up-down hook and vpn_ipsec.py modify a flat-file DB (/tmp/ipsec_vti_interfaces) through three context managers that do an unlocked read-modify-write. During a coordinated rekey, strongSwan fires the hook for many VTIs concurrently, so the writers lost-update each other: an interface whose up-client add is overwritten is left admin-down while its CHILD_SA stays installed. Serialise all DB access by reusing vyos.utils.locking.Lock. A new _vti_updown_db_lock() context manager wraps the three public context managers, and remove_vti_updown_db() holds the lock across both the DB processing and the os.unlink() to close the create/delete race. Make the helpers absence-safe under the lock so callers no longer compose a separate existence check with a locked operation: open_vti_updown_db_readonly() yields None when the DB does not exist and remove_vti_updown_db() is a no-op when it is absent. Drop the now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and vpn_ipsec.py and handle the None yield.
2026-06-16T8923: normalize "can not" to "cannot"Christian Breunig
Replace two-word "can not" / "Can not" with "cannot" across comments, ConfigError messages, CLI help text, and op-mode output. Standard SNMP MIB files under mibs/ are left unchanged.
2026-05-27ipsec: T8912: Fix log level not respected in system journalOleksandr Kuchmystyi
When setting 'vpn ipsec logging log-level 0', DPD informational messages (log level 1) were still appearing in the system journal. The root cause is that charon-systemd reads both `charon-systemd.conf` and `charon-logging.conf` and applies the higher of the two log levels to the journal. The VyOS only managed `charon-systemd.conf`, leaving `charon-logging.conf` at its default level of 1, which silently overrode the user-configured level. Fix this by rendering `charon-logging.conf` on every commit with syslog backend set to -1 (silent), making `charon-systemd.conf` the sole authoritative source for journal log verbosity. This also eliminates duplicate log entries in the journal that occurred when both backends were active and writing to the same destination.
2026-05-20ipsec: T7555: Implement `ikev2-reauth` for site-to-site peersOleksandr Kuchmystyi
IKEv2 reauthentication was configurable via CLI but never translated into `swanctl.conf`. Add `reauth_time` to the peer connection template, driven by the `ikev2-reauth` flag on the ike-group and the per-peer override (yes/no/inherit).
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2026-03-04T8136: IPSEC PPK SupportGiga Murphy
2026-01-05ipsec: T8022: Fix invalid automatic `dynamic` prefix assignment for ↵Oleksandr Kuchmystyi
transport mode tunnels When ESP was configured in transport mode for GRE-based site-to-site tunnels, the default value `dynamic` was automatically injected into the configuration, even though prefixes must not be set in transport mode. This led to error "Local/remote prefix cannot be used with ESP transport mode" and commit failures. This fix updates configuration logic to skip default prefix assignment for site-to-site peers using ESP transport mode tunnels.
2025-07-28ipsec: T7593: Add dynamic prefix for local and remote traffic selectorsOleksandr Kuchmystyi
In case when there is no local/remote prefix configured in a tunnel settings, a protocol configured for such tunnel is ignored. The correct way to generate the configuration is to set the prefix to `dynamic` if it was not set. The correct config for the described case is: ``` local_ts = dynamic[gre/] remote_ts = dynamic[gre/] ```
2025-06-28T7591: remove copyright years from source filesChristian Breunig
The legal team says years are not necessary so we can go ahead with it, since it will simplify backporting. Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \ 's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g' In addition we will error-out during "make" if someone re-adds a legacy copyright notice
2025-05-16T7458: Fix VPN IPsec unexpected passthrough logic bugViacheslav Hletenko
VPN IPsec unexpected passthrough logic bug was introduced in this commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1 The correct behaviour of the `cidr_fit` was replaced with the incorrect `overlap` This way, the passthrough option is used every time when networks overlap. ``` >>> from ipaddress import ip_network >>> >>> a = ip_network('192.0.2.0/24') >>> b = ip_network('192.0.2.100/30') >>> >>> a.overlaps(b) True >>> >>> b.overlaps(a) True >>> ``` But there should be `subnet_of`: ``` >>> a.subnet_of(b) False >>> >>> b.subnet_of(a) True >>> ``` In configuration it looks like ``` set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24' set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30' ``` The StrongSwan unexpected configuration: ``` RIGHT-tunnel-0-passthrough { local_ts = 192.0.2.0/24 remote_ts = 192.0.2.0/24 start_action = trap mode = pass } ``` So all outcoming traffic to the 192.0.2.0/24 pass through the main routing table instead of out SA Use `subnet_of` to fix this
2025-04-02T7290: Fix VPN IPsec log level processingViacheslav Hletenko
Fix the IPsec log level option processing set vpn ipsec log level '2' Render Jinja2 template to generate correct log for IPsec for the file /etc/strongswan.d/charon-systemd.conf
2025-03-13ipsec: T7242: Add check for encryption algorithms that do not work with VPPNataliia Solomko
2025-01-09nhrp: T2326: NHRP migration to FRRaapostoliuk
NHRP migration to FRR
2024-10-02ipsec: T6101: Add validation for proposal option used in IKE groupNataliia Solomko
2024-08-12configverify: T6642: verify_interface_exists requires config_dict argJohn Estabrook
The function verify_interface_exists requires a reference to the ambient config_dict rather than creating an instance. As access is required to the 'interfaces' path, provide as attribute of class ConfigDict, so as not to confuse path searches of script-specific config_dict instances.
2024-08-04ipsec: T5873: remove unused importsChristian Breunig
2024-07-26T5873: vpn ipsec: ignore dhcp/vti settings when connection disabledLucas Christian
2024-07-26T5873: vpn ipsec: re-write of ipsec updown hookLucas Christian
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
2024-04-03T6199: drop unused Python importsChristian Breunig
found using "git ls-files *.py | xargs pylint | grep W0611"
2024-04-03T6199: replace netifaces.interfaces() with common custom helpersChristian Breunig
* Use interface_exists() outside of verify() * Use verify_interface_exists() in verify() to drop common error message
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-03-04T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS.
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ```
2024-01-07ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2023-09-24ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify
2023-08-07T5319: remove workarounds for defaults in vpn_ipsec.pyJohn Estabrook
2023-08-06T5195: move helpers from vyos.validate to vyos.utils packageChristian Breunig
2023-08-04dhcp: T5428: provide common direcotry path via vyos.defaults.directoriesChristian Breunig
Multiple scripts use the same hardcoded path for DHCP client leases in different direcotries - this can't be worse.
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-05-31T5210: VPN: Fix typo in WarningJohn Landicho
2023-03-23ipsec: T2816: Cleanup dhcp hook file if not requiredsarthurdev
2023-02-22ipsec: T4593: Remove references to deleted variablessarthurdev
2023-02-15ipsec: T4593: Migrate and remove legacy `include-ipsec` nodessarthurdev
Not supported with swanctl
2023-02-14strongSwan: T4593: move to charon-systemdChristian Breunig
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2023-01-09Revert "strongSwan: upgrade scripts to work with package version 5.9.8"Christian Poessinger
This reverts commit 6857447bf6acba3537d5e5372cd320aef078b81e.
2022-12-27strongSwan: upgrade scripts to work with package version 5.9.8Christian Poessinger
2022-11-18T4793: Added warning about disable-route-autoinstallaapostoliuk
Added warning message about disable-route-autoinstall when ipsec vti is used.
2022-10-31ipsec: T4787: add support for road-warrior/remote-access RADIUS timeoutChristian Poessinger
This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor.
2022-10-01T4722: consistently use the "IPsec" spelling for IPsecDaniil Baturin
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script