From eabc5f1c2e5bfe548cb3d62f2f85f8d61be29b92 Mon Sep 17 00:00:00 2001
From: Simon <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 28 May 2021 16:35:12 +0200
Subject: ipsec: T2816: IPSec python rework, includes DMVPN and VTI support

---
 interface-definitions/include/ip-protocol.xml.i | 17 +++++++
 interface-definitions/ipsec-settings.xml.in     |  1 +
 interface-definitions/vpn_ipsec.xml.in          | 61 ++++++++++++++-----------
 interface-definitions/vpn_rsa-keys.xml.in       | 46 +++++++++++++++++++
 4 files changed, 99 insertions(+), 26 deletions(-)
 create mode 100644 interface-definitions/include/ip-protocol.xml.i
 create mode 100644 interface-definitions/vpn_rsa-keys.xml.in

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/ip-protocol.xml.i b/interface-definitions/include/ip-protocol.xml.i
new file mode 100644
index 000000000..ce9345024
--- /dev/null
+++ b/interface-definitions/include/ip-protocol.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from ip-protocol.xml.i -->
+<leafNode name="protocol">
+    <properties>
+      <help>Protocol</help>
+      <valueHelp>
+        <format>txt</format>
+        <description>Protocol name</description>
+      </valueHelp>
+      <completionHelp>
+        <script>${vyos_completion_dir}/list_protocols.sh</script>
+      </completionHelp>
+      <constraint>
+        <validator name="ip-protocol"/>
+      </constraint>
+    </properties>
+</leafNode>
+<!-- include end from ip-protocol.xml.i -->
diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in
index bc54baa27..0bcba9a84 100644
--- a/interface-definitions/ipsec-settings.xml.in
+++ b/interface-definitions/ipsec-settings.xml.in
@@ -7,6 +7,7 @@
           <node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py">
             <properties>
               <help>Global IPsec settings</help>
+              <priority>902</priority>
             </properties>
             <children>
               <leafNode name="disable-route-autoinstall">
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 426d7e71c..5bf0ef9ba 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,10 +1,15 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="vpn">
+    <properties>
+      <help>Virtual Private Network (VPN)</help>
+      <priority>900</priority>
+    </properties>
     <children>
-      <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
+      <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
         <properties>
           <help>VPN IP security (IPsec) parameters</help>
+          <priority>901</priority>
         </properties>
         <children>
           <leafNode name="auto-update">
@@ -296,7 +301,7 @@
                   </completionHelp>
                   <valueHelp>
                     <format>yes</format>
-                    <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description>
+                    <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description>
                   </valueHelp>
                   <valueHelp>
                     <format>no</format>
@@ -386,6 +391,7 @@
                 </properties>
                 <children>
                   <leafNode name="dh-group">
+                    <defaultValue>2</defaultValue>
                     <properties>
                       <help>dh-grouphelp</help>
                       <completionHelp>
@@ -621,7 +627,7 @@
           </node>
           <node name="nat-networks">
             <properties>
-              <help>Network Address Translation (NAT) networks</help>
+              <help>Network Address Translation (NAT) networks (Obsolete)</help>
             </properties>
             <children>
               <tagNode name="allowed-network">
@@ -655,7 +661,7 @@
           </node>
           <leafNode name="nat-traversal">
             <properties>
-              <help>Network Address Translation (NAT) traversal</help>
+              <help>Network Address Translation (NAT) traversal (Obsolete)</help>
               <completionHelp>
                 <list>disable enable</list>
               </completionHelp>
@@ -695,19 +701,18 @@
                   <help>Authentication [REQUIRED]</help>
                 </properties>
                 <children>
-                  <node name="mode">
+                  <leafNode name="mode">
                     <properties>
                       <help>Authentication mode</help>
+                      <completionHelp>
+                        <list>pre-shared-secret</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>pre-shared-secret</format>
+                        <description>Use pre shared secret key</description>
+                      </valueHelp>
                     </properties>
-                    <children>
-                      <leafNode name="pre-shared-secret">
-                        <properties>
-                          <help>Use pre-shared secret key</help>
-                          <valueless/>
-                        </properties>
-                      </leafNode>
-                    </children>
-                  </node>
+                  </leafNode>
                   <leafNode name="pre-shared-secret">
                     <properties>
                       <help>Pre-shared secret key</help>
@@ -724,17 +729,21 @@
                   <help>DMVPN crypto configuration</help>
                 </properties>
                 <children>
-                  <leafNode name="bind_child">
+                  <leafNode name="tunnel">
                     <properties>
-                      <help>bind_child_help</help>
-                      <valueless/>
+                      <help>Tunnel interface associated with this configuration profile</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Tunnel interface associated with this configuration profile</description>
+                      </valueHelp>
+                      <multi/>
                     </properties>
                   </leafNode>
                 </children>
               </node>
               <leafNode name="esp-group">
                 <properties>
-                  <help>Esp group name [REQUIRED]</help>
+                  <help>ESP group name [REQUIRED]</help>
                   <completionHelp>
                     <path>vpn ipsec esp-group</path>
                   </completionHelp>
@@ -742,7 +751,7 @@
               </leafNode>
               <leafNode name="ike-group">
                 <properties>
-                  <help>Ike group name [REQUIRED]</help>
+                  <help>IKE group name [REQUIRED]</help>
                   <completionHelp>
                     <path>vpn ipsec ike-group</path>
                   </completionHelp>
@@ -909,6 +918,9 @@
                   <leafNode name="default-esp-group">
                     <properties>
                       <help>Defult ESP group name</help>
+                      <completionHelp>
+                        <path>vpn ipsec esp-group</path>
+                      </completionHelp>
                     </properties>
                   </leafNode>
                   <leafNode name="description">
@@ -920,7 +932,9 @@
                   <leafNode name="dhcp-interface">
                     <properties>
                       <help>DHCP interface to listen on</help>
-                      <valueless/>
+                      <completionHelp>
+                        <script>${vyos_completion_dir}/list_interfaces.py</script>
+                      </completionHelp>
                     </properties>
                   </leafNode>
                   <leafNode name="force-encapsulation">
@@ -1091,12 +1105,7 @@
                           </leafNode>
                         </children>
                       </node>
-                      <leafNode name="protocol">
-                        <properties>
-                          <help>Protocol to encrypt</help>
-                          <valueless/>
-                        </properties>
-                      </leafNode>
+                      #include <include/ip-protocol.xml.i>
                       <node name="remote">
                         <properties>
                           <help>Remote parameters for interesting traffic</help>
diff --git a/interface-definitions/vpn_rsa-keys.xml.in b/interface-definitions/vpn_rsa-keys.xml.in
new file mode 100644
index 000000000..f65ae4b5a
--- /dev/null
+++ b/interface-definitions/vpn_rsa-keys.xml.in
@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="vpn">
+    <children>
+      <node name="rsa-keys" owner="${vyos_conf_scripts_dir}/vpn_rsa-keys.py">
+        <properties>
+          <help>RSA keys</help>
+        </properties>
+        <children>
+          <node name="local-key">
+            <properties>
+              <help>Local RSA key</help>
+            </properties>
+            <children>
+              <leafNode name="file">
+                <properties>
+                  <help>Local RSA key file location</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>File in /config/auth or /config/ipsec.d/rsa-keys</description>
+                  </valueHelp>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <tagNode name="rsa-key-name">
+            <properties>
+              <help>Name of remote RSA key</help>
+            </properties>
+            <children>
+              <leafNode name="rsa-key">
+                <properties>
+                  <help>Remote RSA key</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Remote RSA key</description>
+                  </valueHelp>
+                </properties>
+              </leafNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3