From eabc5f1c2e5bfe548cb3d62f2f85f8d61be29b92 Mon Sep 17 00:00:00 2001 From: Simon <965089+sarthurdev@users.noreply.github.com> Date: Fri, 28 May 2021 16:35:12 +0200 Subject: ipsec: T2816: IPSec python rework, includes DMVPN and VTI support --- data/configd-include.json | 2 + data/templates/ipsec/ike-esp.tmpl | 32 +++++++++ data/templates/ipsec/ipsec.conf.tmpl | 118 ++++++++++++++++++++++++++++++++ data/templates/ipsec/ipsec.secrets.tmpl | 33 ++++++++- data/templates/ipsec/swanctl.conf.tmpl | 54 +++++++++++++++ 5 files changed, 236 insertions(+), 3 deletions(-) create mode 100644 data/templates/ipsec/ike-esp.tmpl create mode 100644 data/templates/ipsec/swanctl.conf.tmpl (limited to 'data') diff --git a/data/configd-include.json b/data/configd-include.json index c3d59592a..28267d575 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -64,8 +64,10 @@ "system_lcd.py", "task_scheduler.py", "tftp_server.py", +"vpn_ipsec.py", "vpn_l2tp.py", "vpn_pptp.py", +"vpn_rsa-keys.py", "vpn_sstp.py", "vrf.py", "vrrp.py", diff --git a/data/templates/ipsec/ike-esp.tmpl b/data/templates/ipsec/ike-esp.tmpl new file mode 100644 index 000000000..deeb8c80d --- /dev/null +++ b/data/templates/ipsec/ike-esp.tmpl @@ -0,0 +1,32 @@ +{% macro conn(ike, ike_ciphers, esp, esp_ciphers) -%} +{% if ike %} +{% if "key_exchange" in ike %} + keyexchange = {{ ike.key_exchange }} +{% endif %} + ike = {{ ike_ciphers }} +{% if "lifetime" in ike %} + ikelifetime = {{ ike.lifetime }}s +{% endif %} + reauth = {{ ike.ikev2_reauth if "ikev2_reauth" in ike else "no" }} + closeaction = {{ ike.close_action if "close_action" in ike else "none" }} +{% if "dead_peer_detection" in ike %} + dpdaction = {{ ike.dead_peer_detection.action }} + dpdtimeout = {{ ike.dead_peer_detection.timeout }} + dpddelay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if "key_exchange" in ike and ike.key_exchange == "ikev1" and "mode" in ike and ike.mode == "aggressive" %} + aggressive = yes +{% endif %} +{% if "key_exchange" in ike and ike.key_exchange == "ikev2" %} + mobike = {{ "yes" if "mobike" not in ike or ike.mobike == "enable" else "no" }} +{% endif %} +{% endif %} +{% if esp %} + esp = {{ esp_ciphers }} +{% if "lifetime" in esp %} + keylife = {{ esp.lifetime }}s +{% endif %} + compress = {{ 'yes' if "compression" in esp and esp.compression == 'enable' else 'no' }} + type = {{ esp.mode if "mode" in esp else "tunnel" }} +{% endif %} +{%- endmacro %} diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index d0b60765b..75f3de39c 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -1,3 +1,121 @@ +# Created by VyOS - manual changes will be overwritten + +{% import 'ipsec/ike-esp.tmpl' as ike_esp %} + +config setup + charondebug = "{{ charondebug }}" + uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} + +{% if site_to_site is defined and "peer" in site_to_site -%} +{% for peer, peer_conf in site_to_site.peer.items() %} +{% set peer_index = loop.index %} +{% set peer_ike = ike_group[peer_conf.ike_group] %} +{% set peer_esp = esp_group[peer_conf.default_esp_group] if 'default_esp_group' in peer_conf else None %} +conn peer-{{ peer }} +{% if peer_conf.authentication.mode in authby %} + authby = {{ authby[peer_conf.authentication.mode] }} +{% endif %} +{% if peer_conf.authentication.mode == 'x509' %} +{% set cert_file = peer_conf.authentication.x509.cert_file %} + leftcert = {{ cert_file if cert_file.startswith(x509_path) else (x509_path + cert_file) }} + leftsendcert = always + rightca = %same +{% elif peer_conf.authentication.mode == 'rsa' %} + leftsigkey = localhost.pub + rightsigkey = {{ peer_conf.authentication.rsa_key_name }}.pub +{% endif %} + left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% if "id" in peer_conf.authentication and "use_x509_id" not in peer_conf.authentication %} + leftid = "{{ peer_conf.authentication.id }}" +{% endif %} + right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} +{% if "remote_id" in peer_conf.authentication %} + rightid = "{{ peer_conf.authentication.remote_id }}" +{% elif peer[0:1] == '@' %} + rightid = "{{ peer }}" +{% endif %} + keylife = 3600s + rekeymargin = 540s +{{ ike_esp.conn(peer_ike, ciphers.ike[peer_conf.ike_group], peer_esp, ciphers.esp[peer_conf.default_esp_group] if peer_esp else None) }} +{% if "vti" in peer_conf and "bind" in peer_conf.vti %} +{% set vti_esp = esp_group[peer_conf.vti.esp_group] if "esp_group" in peer_conf.vti else None %} +conn peer-{{ peer }}-vti + also = peer-{{ peer }} + leftsubnet = 0.0.0.0/0 + leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" + rightsubnet = 0.0.0.0/0 + mark = {{ marks[peer_conf.vti.bind] }} +{{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }} +{% if peer[0:1] == '@' %} + rekey = no + auto = add + keyingtries = %forever +{% else %} +{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %} + auto = start + keyingtries = %forever +{% endif %} +{% if peer_conf.connection_type == 'respond' %} + auto = route + keyingtries = 1 +{% endif %} +{% endif %} +{% elif "tunnel" in peer_conf %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() %} +{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %} +conn peer-{{ peer }}-tunnel-{{tunnel_id}} + also = peer-{{ peer }} +{% if 'mode' not in tunnel_esp or tunnel_esp.mode == 'tunnel' %} +{% if 'local' in tunnel_conf and 'prefix' in tunnel_conf.local %} + leftsubnet = {{ tunnel_conf.local.prefix if tunnel_conf.local.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.local.port if "port" in tunnel_conf.local else '%any' }}] +{% endif %} +{% if 'remote' in tunnel_conf and 'prefix' in tunnel_conf.remote %} + rightsubnet = {{ tunnel_conf.remote.prefix if tunnel_conf.remote.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.remote.port if "port" in tunnel_conf.remote else '%any' }}] +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + leftsubnet = {{ peer_conf.local_address }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] + rightsubnet = {{ peer }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] +{% endif %} +{% if 'esp_group' in tunnel_conf %} +{{ ike_esp.conn(None, None, tunnel_esp, ciphers.esp[tunnel_esp_name]) }} +{% endif %} +{% if peer[0:1] == '@' %} + rekey = no + auto = add + keyingtries = %forever +{% else %} +{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %} + auto = start + keyingtries = %forever +{% endif %} +{% if peer_conf.connection_type == 'respond' %} + auto = route + keyingtries = 1 +{% endif %} +{% endif %} +{% if 'passthrough' in tunnel_conf and tunnel_conf.passthrough %} +conn peer-{{ peer }}-tunnel-{{ tunnel_id }}-passthough + left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} + right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} + leftsubnet = {{ tunnel_conf.local.prefix }} + rightsubnet = {{ tunnel_conf.local.prefix }} + type = passthrough + authby = never + auto = route +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{%- endif %} + +{% if include_ipsec_conf is defined %} +include {{ include_ipsec_conf }} +{% endif %} + +{% if delim_ipsec_l2tp_begin is defined -%} {{delim_ipsec_l2tp_begin}} include {{ipsec_ra_conn_file}} {{delim_ipsec_l2tp_end}} +{%- endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 55c010a3b..a1432de57 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -1,7 +1,34 @@ +# Created by VyOS - manual changes will be overwritten + +{% if site_to_site is defined and "peer" in site_to_site %} +{% set ns = namespace(local_key_set=False) %} +{% for peer, peer_conf in site_to_site.peer.items() %} +{% if peer_conf.authentication.mode == 'pre-shared-secret' %} +{{ (peer_conf.local_address if "local_address" in peer_conf else "%any") ~ + (" " ~ peer) ~ + ((" " ~ peer_conf.authentication.id) if "id" in peer_conf.authentication else "") ~ + ((" " ~ peer_conf.authentication.remote_id) if "remote_id" in peer_conf.authentication else "") +}} : PSK "{{ peer_conf.authentication.pre_shared_secret }}" # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% elif peer_conf.authentication.mode == 'x509' %} +{% set key_file = peer_conf.authentication.x509.key.file %} +: RSA {{ key_file if key_file.startswith(x509_path) else (x509_path + key_file) }}{% if "password" in peer_conf.authentication.x509.key and peer_conf.authentication.x509.key.password %} "{{ peer_conf.authentication.x509.key.password}}"{% endif %} +{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %} +{% set ns.local_key_set = True %} +: RSA {{ rsa_local_key }} +{% endif %} +{% endfor %} +{% endif %} + +{% if include_ipsec_secrets is defined %} +include {{ include_ipsec_secrets }} +{% endif %} + +{% if delim_ipsec_l2tp_begin is defined %} {{delim_ipsec_l2tp_begin}} -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} +{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} {{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}" -{% elif ipsec_l2tp_auth_mode == 'x509' %} +{% elif ipsec_l2tp_auth_mode == 'x509' %} : RSA {{server_key_file_copied}} -{% endif%} +{% endif %} {{delim_ipsec_l2tp_end}} +{% endif %} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl new file mode 100644 index 000000000..0ce703f20 --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -0,0 +1,54 @@ +# Created by VyOS - manual changes will be overwritten + +{% if profile is defined %} +connections { +{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %} +{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} +{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} +{% for interface in profile_conf.bind.tunnel %} + dmvpn-{{ name }}-{{ interface }} { + proposals = {{ ciphers.ike[profile_conf.ike_group][:-1] }} + version = {{ dmvpn_ike.key_exchange[4:] if "key_exchange" in dmvpn_ike else "0" }} + rekey_time = {{ dmvpn_ike.lifetime if 'lifetime' in dmvpn_ike else '28800' }}s + keyingtries = 0 +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} + local { + auth = psk + } + remote { + auth = psk + } +{% endif %} + children { + dmvpn { + esp_proposals = {{ ciphers.esp[profile_conf.esp_group][:-1] }} + rekey_time = {{ dmvpn_esp.lifetime if 'lifetime' in dmvpn_esp else '3600' }}s + rand_time = 540s + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = {{ dmvpn_esp.mode if "mode" in dmvpn_esp else "transport" }} +{% if 'dead_peer_detection' in dmvpn_ike and 'action' in dmvpn_ike.dead_peer_detection %} + dpd_action = {{ dmvpn_ike.dead_peer_detection.action }} +{% endif %} +{% if 'compression' in dmvpn_esp and dmvpn_esp['compression'] == 'enable' %} + ipcomp = yes +{% endif %} + } + } + } +{% endfor %} +{% endfor %} +} + +secrets { +{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %} +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +} +{% endif %} -- cgit v1.2.3