From ab5ca2796c1aad0043cc0db80299e4e2d42c1b22 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Thu, 25 Jul 2019 09:48:08 -0700
Subject: [accel-l2tp] - T834: l2tp implementation

  - node.def deletion for show remote-access
  - IPSec interface checking for L2TP
  - IPSec x509 for l2tp
  - verification of outside-address to warning since it was optional in the previous config
---
 interface-definitions/l2tp-server.xml | 507 ++++++++++++++++++++++++++++++++++
 1 file changed, 507 insertions(+)
 create mode 100644 interface-definitions/l2tp-server.xml

(limited to 'interface-definitions/l2tp-server.xml')

diff --git a/interface-definitions/l2tp-server.xml b/interface-definitions/l2tp-server.xml
new file mode 100644
index 000000000..2d103aae0
--- /dev/null
+++ b/interface-definitions/l2tp-server.xml
@@ -0,0 +1,507 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="vpn">
+    <children>
+      <node name="l2tp" owner="${vyos_conf_scripts_dir}/accel_l2tp.py">
+        <properties>
+          <help>L2TP Virtual Private Network (VPN)</help>
+        </properties>
+        <children>
+          <node name="remote-access">
+            <properties>
+              <help>Remote access L2TP VPN</help>
+            </properties>
+            <children>
+              <leafNode name="mtu">
+                <properties>
+                  <help>Maximum Transmission Unit (MTU)</help>
+                  <constraint>
+                    <validator name="numeric" argument="--range 128-16384"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="outside-address">
+                <properties>
+                  <help>External IP address to which VPN clients will connect</help>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="outside-nexthop">
+                <properties>
+                  <help>Nexthop IP address for reaching the VPN clients</help>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <node name="dns-servers">
+                <properties>
+                  <help>IPv4 Domain Name Service (DNS) server</help>
+                </properties>
+                <children>
+                  <leafNode name="server-1">
+                    <properties>
+                      <help>Primary DNS server</help>
+                      <valueHelp>
+                        <format>ipv4</format>
+                        <description>IPv4 address</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="server-2">
+                    <properties>
+                      <help>Secondary DNS server</help>
+                      <valueHelp>
+                        <format>ipv4</format>
+                        <description>IPv4 address</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="ipsec-settings">
+                <properties>
+                  <help>Internet Protocol Security (IPsec) for remote access L2TP VPN</help>
+                </properties>
+                <children>
+                  <node name="authentication">
+                    <properties>
+                      <help>IPsec authentication settings</help>
+                    </properties>
+                    <children>
+                      <leafNode name="mode">
+                        <properties>
+                          <help>Authentication mode for IPsec</help>
+                          <valueHelp>
+                            <format>pre-shared-secret</format>
+                            <description>Use pre-shared secret for IPsec authentication</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>x509</format>
+                            <description>Use X.509 certificate for IPsec authentication</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>^(pre-shared-secret|x509)</regex>
+                          </constraint>
+                          <completionHelp>
+                            <list>pre-shared-secret x509</list>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="pre-shared-secret">
+                        <properties>
+                          <help>Pre-shared secret for IPsec</help>
+                        </properties>
+                      </leafNode>
+                      <node name="x509">
+                        <properties>
+                          <help>X.509 certificate</help>
+                        </properties>
+                        <children>
+                          <leafNode name="ca-cert-file">
+                            <properties>
+                              <help>File containing the X.509 certificate for the Certificate Authority (CA)</help>
+                              <valueHelp>
+                                <format>&lt;text&gt;</format>
+                                <description>File in /config/auth</description>
+                              </valueHelp>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="crl-file">
+                            <properties>
+                              <help>File containing the X.509 Certificate Revocation List (CRL)</help>
+                              <valueHelp>
+                                <format>&lt;text&gt;</format>
+                                <description>File in /config/auth</description>
+                              </valueHelp>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="server-cert-file">
+                            <properties>
+                              <help>File containing the X.509 certificate for the remote access VPN server (this host)</help>
+                              <valueHelp>
+                                <format>&lt;text&gt;</format>
+                                <description>File in /config/auth</description>
+                              </valueHelp>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="server-key-file">
+                            <properties>
+                              <help>File containing the private key for the X.509 certificate for the remote access VPN server (this host)</help>
+                              <valueHelp>
+                                <format>&lt;text&gt;</format>
+                                <description>File in /config/auth</description>
+                              </valueHelp>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="server-key-password">
+                            <properties>
+                              <help>Password that protects the private key</help>
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </node>
+                    </children>
+                  </node>
+                  <leafNode name="ike-lifetime">
+                    <properties>
+                      <help>IKE lifetime</help>
+                      <valueHelp>
+                        <format>&lt;30-86400&gt;</format>
+                        <description>IKE lifetime in seconds (default 3600)</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 30-86400"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                   <leafNode name="lifetime">
+                    <properties>
+                      <help>ESP lifetime</help>
+                      <valueHelp>
+                        <format>&lt;30-86400&gt;</format>
+                        <description>IKE lifetime in seconds (default 3600)</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 30-86400"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="wins-servers">
+                <properties>
+                  <help>Windows Internet Name Service (WINS) server settings</help>
+                </properties>
+                <children>
+                  <leafNode name="server-1">
+                    <properties>
+                      <help>Primary WINS server</help>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="server-2">
+                    <properties>
+                      <help>Secondary WINS server</help>
+                    <constraint>
+                      <validator name="ipv4-address"/>
+                    </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="client-ip-pool">
+                <properties>
+                  <help>Pool of client IP addresses (must be within a /24)</help>
+                </properties>
+                <children>
+                  <leafNode name="start">
+                    <properties>
+                      <help>First IP address in the pool (will be used as gateway address)</help>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="stop">
+                    <properties>
+                      <help>Last IP address in the pool</help>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="subnet">
+                    <properties>
+                      <help>Client IP subnet (CIDR notation)</help>
+                      <constraint>
+                        <validator name="ipv4-prefix"/>
+                      </constraint>
+                      <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>IPv4 subnet address</description>
+                      </valueHelp>
+                      <multi />
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <leafNode name="description">
+                <properties>
+                  <help>Description for L2TP remote-access settings</help>
+                </properties>
+              </leafNode>
+              <leafNode name="dhcp-interface">
+                <properties>
+                  <help>DHCP interface to listen on</help>
+                </properties>
+              </leafNode>
+              <leafNode name="idle">
+                <properties>
+                  <help>PPP idle timeout</help>
+                  <valueHelp>
+                    <format>&lt;30-86400&gt;</format>
+                    <description>PPP idle timeout in seconds (default 1800)</description>
+                  </valueHelp>
+                    <constraint>
+                      <validator name="numeric" argument="--range 30-86400"/>
+                    </constraint>
+                </properties>
+              </leafNode>
+              <node name="authentication">
+                <properties>
+                  <help>Authentication for remote access L2TP VPN</help>
+                </properties>
+                <children>
+                  <leafNode name="require">
+                    <properties>
+                      <help>Authentication protocol for remote access peer L2TP VPN</help>
+                      <valueHelp>
+                        <format>pap</format>
+                        <description>Require the peer to authenticate itself using PAP [Password Authentication Protocol].</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>chap</format>
+                        <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>mschap</format>
+                        <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>mschap-v2</format>
+                        <description>Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(pap|chap|mschap|mschap-v2)</regex>
+                      </constraint>
+                      <completionHelp>
+                        <list>pap chap mschap mschap-v2</list>
+                      </completionHelp>
+                      <multi />
+                    </properties>
+                  </leafNode>
+                  <leafNode name="mppe">
+                    <properties>
+                      <help>Specifies mppe negotioation preference. (default require mppe 128-bit stateless</help>
+                      <valueHelp>
+                        <format>deny</format>
+                        <description>deny mppe</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prefer</format>
+                        <description>ask client for mppe, if it rejects don't fail</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>require</format>
+                        <description>ask client for mppe, if it rejects drop connection</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(deny|prefer|require)</regex>
+                      </constraint>
+                      <completionHelp>
+                        <list>deny prefer require</list>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="mode">
+                    <properties>
+                      <help>Authentication mode for remote access L2TP VPN</help>
+                      <valueHelp>
+                        <format>local</format>
+                        <description>Use local username/password configuration</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>radius</format>
+                        <description>Use a RADIUS server to autenticate users</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(local|radius)</regex>
+                      </constraint>
+                      <completionHelp>
+                        <list>local radius</list>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  <node name="local-users">
+                    <properties>
+                      <help>Local user authentication for remote access L2TP VPN</help>
+                    </properties>
+                    <children>
+                      <tagNode name="username">
+                        <properties>
+                          <help>User name for authentication</help>
+                        </properties>
+                        <children>
+                          <leafNode name="disable">
+                            <properties>
+                              <help>Option to disable a L2TP Server user</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="password">
+                            <properties>
+                              <help>Password for authentication</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="static-ip">
+                            <properties>
+                              <help>Static client IP address</help>
+                            </properties>
+                          </leafNode>
+                          <node name="rate-limit">
+                            <properties>
+                              <help>Upload/Download speed limits</help>
+                            </properties>
+                            <children>
+                              <leafNode name="upload">
+                                <properties>
+                                  <help>Upload bandwidth limit in kbits/sec</help>
+                                  <constraint>
+                                    <validator name="numeric" argument="--range 1-65535"/>
+                                  </constraint>
+                                </properties>
+                              </leafNode>
+                              <leafNode name="download">
+                                <properties>
+                                  <help>Download bandwidth limit in kbits/sec</help>
+                                  <constraint>
+                                    <validator name="numeric" argument="--range 1-65535"/>
+                                  </constraint>
+                                </properties>
+                              </leafNode>
+                            </children>
+                          </node>
+                        </children>
+                      </tagNode>
+                    </children>
+                  </node>
+                  <node name="radius">
+                    <properties>
+                      <help>RADIUS specific configuration</help>
+                    </properties>
+                    <children>
+                      <tagNode name="server">
+                        <properties>
+                          <help>IP address of radius server</help>
+                          <valueHelp>
+                            <format>ipv4</format>
+                            <description>IP address of RADIUS server</description>
+                          </valueHelp>
+                        </properties>
+                        <children>
+                          <leafNode name="key">
+                            <properties>
+                              <help>Key for accessing the specified server</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="req-limit">
+                            <properties>
+                              <help>Maximum number of simultaneous requests to server (default: unlimited)</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="fail-time">
+                            <properties>
+                              <help>If server doesn't responds mark it as unavailable for this amount of time in seconds</help>
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </tagNode>
+                    </children>
+                  </node>
+                  <node name="radius-settings">
+                    <properties>
+                      <help>RADIUS settings</help>
+                    </properties>
+                    <children>
+                      <leafNode name="timeout">
+                        <properties>
+                          <help>Timeout to wait response from server (seconds)</help>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="acct-timeout">
+                        <properties>
+                          <help>Timeout to wait reply for Interim-Update packets. (default 3 seconds)</help>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="max-try">
+                        <properties>
+                          <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="nas-identifier">
+                        <properties>
+                          <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="nas-ip-address">
+                        <properties>
+                          <help>Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.</help>
+                        </properties>
+                      </leafNode>
+                      <node name="dae-server">
+                        <properties>
+                          <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help>
+                        </properties>
+                        <children>
+                          <leafNode name="ip-address">
+                            <properties>
+                              <help>IP address for Dynamic Authorization Extension server (DM/CoA)</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="port">
+                            <properties>
+                              <help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="secret">
+                            <properties>
+                              <help>Secret for Dynamic Authorization Extension server (DM/CoA)</help>
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </node>
+                      <node name="rate-limit">
+                        <properties>
+                          <help>Upload/Download speed limits</help>
+                        </properties>
+                        <children>
+                          <leafNode name="attribute">
+                            <properties>
+                              <help>Specifies which radius attribute contains rate information. (default is Filter-Id)</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="vendor">
+                            <properties>
+                              <help>Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius)</help>
+                            </properties>
+                          </leafNode>
+                          <leafNode name="enable">
+                            <properties>
+                              <help>Enables Bandwidth shaping via RADIUS</help>
+                              <valueless />
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </node>
+                    </children>
+                  </node>
+                </children>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3