From 2d79a5000c8a02fd7570f629c3182fd55fdb8c86 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 3 Jul 2021 11:40:19 +0000 Subject: ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string --- python/vyos/template.py | 46 +++++++++++++++++++++++++++++++++++ src/tests/test_template.py | 60 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) diff --git a/python/vyos/template.py b/python/vyos/template.py index 5c12e9914..f03fd7ee7 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -387,3 +387,49 @@ def get_ip(interface): """ Get interface IP addresses""" from vyos.ifconfig import Interface return Interface(interface).get_addr() + +@register_filter('get_esp_ike_cipher') +def get_esp_ike_cipher(group_config): + pfs_lut = { + 'dh-group1' : 'modp768', + 'dh-group2' : 'modp1024', + 'dh-group5' : 'modp1536', + 'dh-group14' : 'modp2048', + 'dh-group15' : 'modp3072', + 'dh-group16' : 'modp4096', + 'dh-group17' : 'modp6144', + 'dh-group18' : 'modp8192', + 'dh-group19' : 'ecp256', + 'dh-group20' : 'ecp384', + 'dh-group21' : 'ecp512', + 'dh-group22' : 'modp1024s160', + 'dh-group23' : 'modp2048s224', + 'dh-group24' : 'modp2048s256', + 'dh-group25' : 'ecp192', + 'dh-group26' : 'ecp224', + 'dh-group27' : 'ecp224bp', + 'dh-group28' : 'ecp256bp', + 'dh-group29' : 'ecp384bp', + 'dh-group30' : 'ecp512bp', + 'dh-group31' : 'curve25519', + 'dh-group32' : 'curve448' + } + + ciphers = [] + if 'proposal' in group_config: + for priority, proposal in group_config['proposal'].items(): + # both encryption and hash need to be specified for a proposal + if not {'encryption', 'hash'} <= set(proposal): + continue + + tmp = '{encryption}-{hash}'.format(**proposal) + if 'dh_group' in proposal: + tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ] + elif 'pfs' in group_config and group_config['pfs'] != 'disable': + group = group_config['pfs'] + if group_config['pfs'] == 'enable': + group = 'dh-group2' + tmp += '-' + pfs_lut[group] + + ciphers.append(tmp) + return ciphers diff --git a/src/tests/test_template.py b/src/tests/test_template.py index 67c0fe84a..2d065f545 100644 --- a/src/tests/test_template.py +++ b/src/tests/test_template.py @@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase): self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48')) self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64')) self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64')) + + def test_cipher_to_string(self): + ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256' + IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024' + + data = { + 'esp_group': { + 'ESP_DEFAULT': { + 'compression': 'disable', + 'lifetime': '3600', + 'mode': 'tunnel', + 'pfs': 'dh-group19', + 'proposal': { + '10': { + 'encryption': 'aes256gcm128', + 'hash': 'sha256', + }, + '20': { + 'encryption': 'aes128ccm64', + 'hash': 'sha256', + } + } + } + }, + 'ike_group': { + 'IKEv2_DEFAULT': { + 'close_action': 'none', + 'dead_peer_detection': { + 'action': 'hold', + 'interval': '30', + 'timeout': '120' + }, + 'ikev2_reauth': 'no', + 'key_exchange': 'ikev2', + 'lifetime': '10800', + 'mobike': 'disable', + 'proposal': { + '10': { + 'dh_group': '19', + 'encryption': 'aes256gcm128', + 'hash': 'sha256' + }, + '20': { + 'dh_group': '2', + 'encryption': 'aes128ccm128', + 'hash': 'md5_128' + }, + } + } + }, + } + + for group_name, group_config in data['esp_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(ESP_DEFAULT, ','.join(ciphers)) + + for group_name, group_config in data['ike_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(IKEv2_DEFAULT, ','.join(ciphers)) + -- cgit v1.2.3