From 9612e133a4aac9954bfa8f3c2c0b386e0265ce3d Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 1 Dec 2020 18:29:01 +0200 Subject: vpn: ipsec: T3093: add XML for vpn ipsec conf-mode --- .../include/vpn-ipsec-encryption.xml.i | 233 ++++ interface-definitions/include/vpn-ipsec-hash.xml.i | 65 ++ interface-definitions/vpn_ipsec.xml.in | 1188 ++++++++++++++++++++ 3 files changed, 1486 insertions(+) create mode 100644 interface-definitions/include/vpn-ipsec-encryption.xml.i create mode 100644 interface-definitions/include/vpn-ipsec-hash.xml.i create mode 100644 interface-definitions/vpn_ipsec.xml.in (limited to 'interface-definitions') diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i new file mode 100644 index 000000000..1c1d728fc --- /dev/null +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -0,0 +1,233 @@ + + + + Encryption algorithm + + null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305 + + + null + Null encryption + + + aes128 + 128 bit AES-CBC (default) + + + aes192 + 192 bit AES-CBC + + + aes256 + 256 bit AES-CBC + + + aes128ctr + 128 bit AES-COUNTER + + + aes192ctr + 192 bit AES-COUNTER + + + aes256ctr + 256 bit AES-COUNTER + + + aes128ccm64 + 128 bit AES-CCM with 64 bit ICV + + + aes192ccm64 + 192 bit AES-CCM with 64 bit ICV + + + aes256ccm64 + 256 bit AES-CCM with 64 bit ICV + + + aes128ccm96 + 128 bit AES-CCM with 96 bit ICV + + + aes192ccm96 + 192 bit AES-CCM with 96 bit ICV + + + aes256ccm96 + 256 bit AES-CCM with 96 bit ICV + + + aes128ccm128 + 128 bit AES-CCM with 128 bit ICV + + + aes192ccm128 + 192 bit AES-CCM with 128 bit IC + + + aes256ccm128 + 256 bit AES-CCM with 128 bit ICV + + + aes128gcm64 + 128 bit AES-GCM with 64 bit ICV + + + aes192gcm64 + 192 bit AES-GCM with 64 bit ICV + + + aes256gcm64 + 256 bit AES-GCM with 64 bit ICV + + + aes128gcm96 + 128 bit AES-GCM with 96 bit ICV + + + aes192gcm96 + 192 bit AES-GCM with 96 bit ICV + + + aes256gcm96 + 256 bit AES-GCM with 96 bit ICV + + + aes128gcm128 + 128 bit AES-GCM with 128 bit ICV + + + aes192gcm128 + 192 bit AES-GCM with 128 bit ICV + + + aes256gcm128 + 256 bit AES-GCM with 128 bit ICV + + + aes128gmac + Null encryption with 128 bit AES-GMAC + + + aes192gmac + Null encryption with 192 bit AES-GMAC + + + aes256gmac + Null encryption with 256 bit AES-GMAC + + + 3des + 168 bit 3DES-EDE-CBC + + + blowfish128 + 128 bit Blowfish-CBC + + + blowfish192 + 192 bit Blowfish-CBC + + + blowfish256 + 256 bit Blowfish-CBC + + + camellia128 + 128 bit Camellia-CBC + + + camellia192 + 192 bit Camellia-CBC + + + camellia256 + 256 bit Camellia-CBC + + + camellia128ctr + 128 bit Camellia-COUNTER + + + camellia192ctr + 192 bit Camellia-COUNTER + + + camellia256ctr + 256 bit Camellia-COUNTER + + + camellia128ccm64 + 128 bit Camellia-CCM with 64 bit ICV + + + camellia192ccm64 + 192 bit Camellia-CCM with 64 bit ICV + + + camellia256ccm64 + 256 bit Camellia-CCM with 64 bit ICV + + + camellia128ccm96 + 128 bit Camellia-CCM with 96 bit ICV + + + camellia192ccm96 + 192 bit Camellia-CCM with 96 bit ICV + + + camellia256ccm96 + 256 bit Camellia-CCM with 96 bit ICV + + + camellia128ccm128 + 128 bit Camellia-CCM with 128 bit ICV + + + camellia192ccm128 + 192 bit Camellia-CCM with 128 bit ICV + + + camellia256ccm128 + 256 bit Camellia-CCM with 128 bit ICV + + + serpent128 + 128 bit Serpent-CBC + + + serpent192 + 192 bit Serpent-CBC + + + serpent256 + 256 bit Serpent-CBC + + + twofish128 + 128 bit Twofish-CBC + + + twofish192 + 192 bit Twofish-CBC + + + twofish256 + 256 bit Twofish-CBC + + + cast128 + 128 bit CAST-CBC + + + chacha20poly1305 + 256 bit ChaCha20/Poly1305 with 128 bit ICV + + + ^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$ + + + + diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i new file mode 100644 index 000000000..ca5976d27 --- /dev/null +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -0,0 +1,65 @@ + + + + Hash algorithm + + md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac + + + md5 + MD5 HMAC + + + md5_128 + MD5_128 HMAC + + + sha1 + SHA1 HMAC (default) + + + sha1_160 + SHA1_160 HMAC + + + sha256 + SHA2_256_128 HMAC + + + sha256_96 + SHA2_256_96 HMAC + + + sha384 + SHA2_384_192 HMAC + + + sha512 + SHA2_512_256 HMAC + + + aesxcbc + AES XCBC + + + aescmac + AES CMAC + + + aes128gmac + 128-bit AES-GMAC + + + aes192gmac + 192-bit AES-GMAC + + + aes256gmac + 256-bit AES-GMAC + + + ^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$ + + + + diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in new file mode 100644 index 000000000..93eb7e667 --- /dev/null +++ b/interface-definitions/vpn_ipsec.xml.in @@ -0,0 +1,1188 @@ + + + + + + + VPN IP security (IPsec) parameters + + + + + Set auto-update interval for IPsec daemon + + 30-65535 + Auto-update interval (s) + + + + + + + + + Option to disable requirement for unique IDs in the Security Database + + + + + + Name of Encapsulating Security Payload (ESP) group + + + + + ESP compression + + disable enable + + + disable + Disable ESP compression (default) + + + enable + Enable ESP compression + + + ^(disable|enable)$ + + + + + + ESP lifetime + + 30-86400 + ESP lifetime in seconds (default 3600) + + + + + + + + + ESP mode + + tunnel transport + + + tunnel + Tunnel mode (default) + + + transport + Transport mode + + + ^(tunnel|transport)$ + + + + + + ESP Perfect Forward Secrecy + + enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable + + + enable + Enable PFS. Use ike-groups dh-group (default) + + + dh-group1 + Enable PFS. Use Diffie-Hellman group 1 (modp768) + + + dh-group2 + Enable PFS. Use Diffie-Hellman group 2 (modp1024) + + + dh-group5 + Enable PFS. Use Diffie-Hellman group 5 (modp1536) + + + dh-group14 + Enable PFS. Use Diffie-Hellman group 14 (modp2048) + + + dh-group15 + Enable PFS. Use Diffie-Hellman group 15 (modp3072) + + + dh-group16 + Enable PFS. Use Diffie-Hellman group 16 (modp4096) + + + dh-group17 + Enable PFS. Use Diffie-Hellman group 17 (modp6144) + + + dh-group18 + Enable PFS. Use Diffie-Hellman group 18 (modp8192) + + + dh-group19 + Enable PFS. Use Diffie-Hellman group 19 (ecp256) + + + dh-group20 + Enable PFS. Use Diffie-Hellman group 20 (ecp384) + + + dh-group21 + Enable PFS. Use Diffie-Hellman group 21 (ecp521) + + + dh-group22 + Enable PFS. Use Diffie-Hellman group 22 (modp1024s160) + + + dh-group23 + Enable PFS. Use Diffie-Hellman group 23 (modp2048s224) + + + dh-group24 + Enable PFS. Use Diffie-Hellman group 24 (modp2048s256) + + + dh-group25 + Enable PFS. Use Diffie-Hellman group 25 (ecp192) + + + dh-group26 + Enable PFS. Use Diffie-Hellman group 26 (ecp224) + + + dh-group27 + Enable PFS. Use Diffie-Hellman group 27 (ecp224bp) + + + dh-group28 + Enable PFS. Use Diffie-Hellman group 28 (ecp256bp) + + + dh-group29 + Enable PFS. Use Diffie-Hellman group 29 (ecp384bp) + + + dh-group30 + Enable PFS. Use Diffie-Hellman group 30 (ecp512bp) + + + dh-group31 + Enable PFS. Use Diffie-Hellman group 31 (curve25519) + + + dh-group32 + Enable PFS. Use Diffie-Hellman group 32 (curve448) + + + disable + Disable PFS + + + ^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$ + + + + + + ESP-group proposal [REQUIRED] + + <1-65535> + ESP-group proposal number + + + + #include + #include + + + + + + + Name of Internet Key Exchange (IKE) group + + + + + close-action_help + + none hold clear restart + + + none + Set action to none (default) + + + hold + Set action to hold + + + clear + Set action to clear + + + restart + Set action to restart + + + ^(none|hold|clear|restart)$ + + + + + + Dead Peer Detection (DPD) + + + + + Keep-alive failure action + + hold clear restart + + + hold + Set action to hold (default) + + + clear + Set action to clear + + + restart + Set action to restart + + + ^(hold|clear|restart)$ + + + + + + Keep-alive interval + + <2-86400> + Keep-alive interval in seconds (default 30) + + + + + + + + + Dead-Peer-Detection keep-alive timeout (IKEv1 only) + + <2-86400> + Keep-alive timeout in seconds (default 120) + + + + + + + + + + + ikev2-reauth_help + + yes no + + + yes + Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug + + + no + Disable remote host re-authenticaton during an IKE rekey. (Default) + + + ^(yes|no)$ + + + + + + Key Exchange Version + + ikev1 ikev2 + + + ikev1 + Use IKEv1 for Key Exchange [DEFAULT] + + + ikev2 + Use IKEv2 for Key Exchange + + + ^(ikev1|ikev2)$ + + + + + + IKE lifetime + + <30-86400> + IKE lifetime in seconds (default 28800) + + + + + + + + + Enable MOBIKE Support. MOBIKE is only available for IKEv2. + + enable disable + + + enable + Enable MOBIKE (default for IKEv2) + + + disable + Disable MOBIKE + + + ^(enable|disable)$ + + + + + + IKEv1 Phase 1 Mode Selection + + main aggressive + + + main + Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) + + + aggressive + Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. + + + ^(main|aggressive)$ + + + + + + proposal_help + + <1-65535> + IKE-group proposal + + + + + + dh-grouphelp + + 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 + + + 1 + Diffie-Hellman group 1 (modp768) + + + 2 + Diffie-Hellman group 2 (modp1024) + + + 5 + Diffie-Hellman group 5 (modp1536) + + + 14 + Diffie-Hellman group 14 (modp2048) + + + 15 + Diffie-Hellman group 15 (modp3072) + + + 16 + Diffie-Hellman group 16 (modp4096) + + + 17 + Diffie-Hellman group 17 (modp6144) + + + 18 + Diffie-Hellman group 18 (modp8192) + + + 19 + Diffie-Hellman group 19 (ecp256) + + + 20 + Diffie-Hellman group 20 (ecp384) + + + 21 + Diffie-Hellman group 21 (ecp521) + + + 22 + Diffie-Hellman group 22 (modp1024s160) + + + 23 + Diffie-Hellman group 23 (modp2048s224) + + + 24 + Diffie-Hellman group 24 (modp2048s256) + + + 25 + Diffie-Hellman group 25 (ecp192) + + + 26 + Diffie-Hellman group 26 (ecp224) + + + 27 + Diffie-Hellman group 27 (ecp224bp) + + + 28 + Diffie-Hellman group 28 (ecp256bp) + + + 29 + Diffie-Hellman group 29 (ecp384bp) + + + 30 + Diffie-Hellman group 30 (ecp512bp) + + + 31 + Diffie-Hellman group 31 (curve25519) + + + 32 + Diffie-Hellman group 32 (curve448) + + + ^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$ + + + + #include + #include + + + + + + + Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file + + + + + Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. + + + + + Interface to use for VPN [REQUIRED] + + + + + IPsec interface [REQUIRED] + + + + + + + + + + + IPsec logging + + + + + strongSwan Logger Level + + <0-2> + Logger Verbosity Level (default 0) + + + + + + + + + Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation + + dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any + + + dmn + Debug log option for strongSwan + + + mgr + Debug log option for strongSwan + + + ike + Debug log option for strongSwan + + + chd + Debug log option for strongSwan + + + job + Debug log option for strongSwan + + + cfg + Debug log option for strongSwan + + + knl + Debug log option for strongSwan + + + net + Debug log option for strongSwan + + + asn + Debug log option for strongSwan + + + enc + Debug log option for strongSwan + + + lib + Debug log option for strongSwan + + + esp + Debug log option for strongSwan + + + tls + Debug log option for strongSwan + + + tnc + Debug log option for strongSwan + + + imc + Debug log option for strongSwan + + + imv + Debug log option for strongSwan + + + pts + Debug log option for strongSwan + + + any + Debug log option for strongSwan + + + ^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$ + + + + + + + + + Network Address Translation (NAT) networks + + + + + NAT networks to allow + + ipv4net + NAT networks to allow + + + + + + + + + NAT networks to exclude from allowed-networks + + ipv4net + NAT networks to exclude from allowed-networks + + + + + + + + + + + + + + Network Address Translation (NAT) traversal + + disable enable + + + disable + Disable NAT-T + + + enable + Enable NAT-T + + + ^(disable|enable)$ + + + + + + Global IPsec settings + + + + + Do not automatically install routes to remote networks + + + + + + + + VPN IPSec Profile + + + + + Authentication [REQUIRED] + + + + + Authentication mode + + + + + Use pre-shared secret key + + + + + + + + Pre-shared secret key + + <text> + Pre-shared secret key + + + + + + + + DMVPN crypto configuration + + + + + bind_child_help + + + + + + + + Esp group name [REQUIRED] + + vpn ipsec esp-group + + + + + + Ike group name [REQUIRED] + + vpn ipsec ike-group + + + + + + + + Site to site VPN + + + + + VPN peer + + ipv4 + IPv4 address of the peer + + + ipv6 + IPv6 address of the peer + + + <text> + Hostname of the peer + + + <@text> + ID of the peer + + + + + + Peer authentication [REQUIRED] + + + + + ID for peer authentication + + <text> + ID used for peer authentication + + + + + + Authentication mode + + pre-shared-secret rsa x509 + + + pre-shared-secret + pre-shared-secret_description + + + rsa + rsa_description + + + x509 + x509_description + + + ^(pre-shared-secret|rsa|x509)$ + + + + + + Pre-shared secret key + + <text> + Pre-shared secret key + + + + + + ID for remote authentication + + <text> + ID used for peer authentication + + + + + + RSA key name + + + + + Use certificate common name as ID + + + + + + X.509 certificate + + + + + File containing the X.509 certificate for the Certificate Authority (CA) + + <text> + File in /config/auth + + + + + + File containing the X.509 certificate for this host + + <text> + File in /config/auth + + + + + + File containing the X.509 Certificate Revocation List (CRL) + + <text> + File in /config/auth + + + + + + Key file and password to open it + + + + + File containing the private key for the X.509 certificate for this host + + <text> + File in /config/auth + + + + + + Password that protects the private key + + <text> + Password that protects the private key + + + + + + + + + + + + Connection type + + initiate respond + + + initiate + initiate_description + + + respond + respond_description + + + ^(initiate|respond)$ + + + + + + Defult ESP group name + + + + + VPN peer description + + + + + + DHCP interface to listen on + + + + + + Force UDP Encapsulation for ESP Payloads + + enable disable + + + enable + This endpoint will force UDP encapsulation for this peer + + + disable + This endpoint will not force UDP encapsulation for this peer + + + ^(enable|disable)$ + + + + + + Internet Key Exchange (IKE) group name [REQUIRED] + + vpn ipsec ike-group + + + + + + Re-authentication of the remote peer during an IKE re-key. IKEv2 option only + + yes no inherit + + + yes + Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug + + + no + Disable remote host re-authenticaton during an IKE re-key. + + + inherit + Inherit the reauth configuration form your IKE-group (Default) + + + ^(yes|no|inherit)$ + + + + + + IPv4 or IPv6 address of a local interface to use for VPN + + any + + + ipv4 + IPv4 address of a local interface for VPN + + + ipv6 + IPv6 address of a local interface for VPN + + + any + Allow any IPv4 address present on the system to be used for VPN + + + + + ^(any)$ + + + + + + Peer tunnel [REQUIRED] + + <0-4294967295> + Peer tunnel [REQUIRED] + + + + + + Option to allow NAT networks + + enable disable + + + enable + Enable NAT networks + + + disable + Disable NAT networks (default) + + + ^(enable|disable)$ + + + + + + Option to allow public networks + + enable disable + + + enable + Enable public networks + + + disable + Disable public networks (default) + + + ^(enable|disable)$ + + + + + + Option to disable vpn tunnel + + + + + + ESP group name + + vpn ipsec esp-group + + + + + + Local parameters for interesting traffic + + + + + Any TCP or UDP port + + <port name> + Named port (any name in /etc/services, e.g., http) + + + <1-65535> + Numbered port + + + + + + Local IPv4 or IPv6 prefix + + ipv4 + Local IPv4 prefix + + + ipv6 + Local IPv6 prefix + + + + + + + + + + + + Protocol to encrypt + + + + + + Remote parameters for interesting traffic + + + + + Any TCP or UDP port + + <port name> + Named port (any name in /etc/services, e.g., http) + + + <1-65535> + Numbered port + + + + + + Remote IPv4 or IPv6 prefix + + ipv4 + Remote IPv4 prefix + + + ipv6 + Remote IPv6 prefix + + + + + + + + + + + + + + Virtual tunnel interface [REQUIRED] + + + + + VTI tunnel interface associated with this configuration [REQUIRED] + + + + + ESP group name [REQUIRED] + + vpn ipsec esp-group + + + + + + + + + + + + + + -- cgit v1.2.3