summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_ipsec.py
AgeCommit message (Collapse)Author
2024-08-12configverify: T6642: verify_interface_exists requires config_dict argJohn Estabrook
The function verify_interface_exists requires a reference to the ambient config_dict rather than creating an instance. As access is required to the 'interfaces' path, provide as attribute of class ConfigDict, so as not to confuse path searches of script-specific config_dict instances.
2024-08-04ipsec: T5873: remove unused importsChristian Breunig
2024-07-26T5873: vpn ipsec: ignore dhcp/vti settings when connection disabledLucas Christian
2024-07-26T5873: vpn ipsec: re-write of ipsec updown hookLucas Christian
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-22T6599: ipsec: fix incorect default behavior for dead-peer-detectionLucas Christian
2024-04-03T6199: drop unused Python importsChristian Breunig
found using "git ls-files *.py | xargs pylint | grep W0611"
2024-04-03T6199: replace netifaces.interfaces() with common custom helpersChristian Breunig
* Use interface_exists() outside of verify() * Use verify_interface_exists() in verify() to drop common error message
2024-03-28Merge pull request #3202 from sarthurdev/T5606_1Daniil Baturin
ipsec: T5606: T5871: Use multi node for CA certificates
2024-03-28ipsec: T5606: T5871: Use multi node for CA certificatessarthurdev
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates. Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-03-04T6084: Add NHRP dependency for IPsec and fix NHRP empty config bugViacheslav Hletenko
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue
2024-01-11ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemonChristian Breunig
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS.
2024-01-10T5918: Fix typo in verify vpn ipsec interfaceViacheslav Hletenko
The correct CLI command is `interface` and not `interfaces` ``` set vpn ipsec interface xxx ```
2024-01-07ipsec: T5905: use interface_exists() wrapper over raw calls to os.path.exists()Christian Breunig
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2023-09-24ipsec: T5606: Add support for whole CA chainssarthurdev
Also includes an update to smoketest to verify
2023-08-07T5319: remove workarounds for defaults in vpn_ipsec.pyJohn Estabrook
2023-08-06T5195: move helpers from vyos.validate to vyos.utils packageChristian Breunig
2023-08-04dhcp: T5428: provide common direcotry path via vyos.defaults.directoriesChristian Breunig
Multiple scripts use the same hardcoded path for DHCP client leases in different direcotries - this can't be worse.
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-05-31T5210: VPN: Fix typo in WarningJohn Landicho
2023-03-23ipsec: T2816: Cleanup dhcp hook file if not requiredsarthurdev
2023-02-22ipsec: T4593: Remove references to deleted variablessarthurdev
2023-02-15ipsec: T4593: Migrate and remove legacy `include-ipsec` nodessarthurdev
Not supported with swanctl
2023-02-14strongSwan: T4593: move to charon-systemdChristian Breunig
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2023-01-09Revert "strongSwan: upgrade scripts to work with package version 5.9.8"Christian Poessinger
This reverts commit 6857447bf6acba3537d5e5372cd320aef078b81e.
2022-12-27strongSwan: upgrade scripts to work with package version 5.9.8Christian Poessinger
2022-11-18T4793: Added warning about disable-route-autoinstallaapostoliuk
Added warning message about disable-route-autoinstall when ipsec vti is used.
2022-10-31ipsec: T4787: add support for road-warrior/remote-access RADIUS timeoutChristian Poessinger
This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor.
2022-10-01T4722: consistently use the "IPsec" spelling for IPsecDaniil Baturin
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-08-24ipsec: T2185: use systemd to start/stop serviceChristian Poessinger
2022-05-01ipsec: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-25vpn-ipsec: T4398: Fix unexpected passthrough policy for peerViacheslav Hletenko
Set default passtrough list to None to prevent unexpected policy for peers with not overplapped local and remote prefixes
2021-09-15ipsec: T3830: "authentication id|use-x509-id" are mutually exclusiveChristian Poessinger
Manually set peer id and use-x509-id are mutually exclusive!
2021-08-26ipsec: T1210: support road-warrior IP assignment via RADIUS Framed-IP-AddressChristian Poessinger
Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a "radius" option.
2021-08-08ipsec: l2tp: T2816: remove duplicate 3des-sha1-modp1024 proposalChristian Poessinger
2021-08-04ipsec: T3718: fix default processing of ike dh-group proposalsChristian Poessinger
IKE dh-group defaults to 2 (modp1024).
2021-07-26ipsec: T1210: remote-access connections only work with IKEv2Christian Poessinger
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-19ipsec: T1210: split out pool from remote-access configurationChristian Poessinger
Remote access IP pools can now be defined at a global level and referenced in IPSec remote-access connections. To defined a pool use: set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1' set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24' set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1' set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64' A connection can then reference the pool: set vpn ipsec remote-access connection foo pool 'global-ipv4' set vpn ipsec remote-access connection foo pool 'global-ipv6'
2021-07-18ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixesChristian Poessinger
... this enables a dual-stack IKEv2 VPN deployment.
2021-07-18ipsec: T2816: limit remote-access nameservers to two IPv4 and two for IPv6Christian Poessinger