From eabc5f1c2e5bfe548cb3d62f2f85f8d61be29b92 Mon Sep 17 00:00:00 2001
From: Simon <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 28 May 2021 16:35:12 +0200
Subject: ipsec: T2816: IPSec python rework, includes DMVPN and VTI support

---
 op-mode-definitions/vpn-ipsec.xml.in | 251 +++++++++++++++++++++++++++++++++++
 1 file changed, 251 insertions(+)
 create mode 100644 op-mode-definitions/vpn-ipsec.xml.in

(limited to 'op-mode-definitions/vpn-ipsec.xml.in')

diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in
new file mode 100644
index 000000000..b836b193f
--- /dev/null
+++ b/op-mode-definitions/vpn-ipsec.xml.in
@@ -0,0 +1,251 @@
+<?xml version="1.0"  encoding="UTF-8"?>
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="vpn">
+        <properties>
+          <help>VPN key generation utility</help>
+        </properties>
+        <children>
+          <node name="rsa-key">
+            <properties>
+              <help>Generate local RSA key (default: bits=2192)</help>
+            </properties>
+            <children>
+              <tagNode name="bits">
+                <properties>
+                  <help>Generate local RSA key with specified number of bits</help>
+                  <completionHelp>
+                    <list>&lt;16-4096&gt;</list>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="rsa-key" --bits="$5"</command>
+              </tagNode>
+            </children>
+            <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="rsa-key" --bits="2192"</command>
+          </node>
+          <node name="x509">
+            <properties>
+              <help>x509 key-pair generation tool</help>
+            </properties>
+            <children>
+              <tagNode name="key-pair">
+                <properties>
+                  <help>Generate x509 key-pair</help>
+                  <completionHelp>
+                    <list>&lt;common-name&gt;</list>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="x509" --name="$5"</command>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="reset">
+    <children>
+      <node name="vpn">
+        <properties>
+          <help>Reset Virtual Private Network (VPN) information</help>
+        </properties>
+        <children>
+          <tagNode name="ipsec-peer">
+            <properties>
+              <help>Reset all tunnels for given peer</help>
+              <completionHelp>
+                <path>vpn ipsec site-to-site peer</path>
+              </completionHelp>
+            </properties>
+            <children>
+              <tagNode name="tunnel">
+                <properties>
+                  <help>Reset a specific tunnel for given peer</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="$6"</command>
+              </tagNode>
+              <node name="vti">
+                <properties>
+                  <help>Reset the VTI tunnel for given peer</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="vti"</command>
+              </node>
+            </children>
+            <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="all"</command>
+          </tagNode>
+          <tagNode name="ipsec-profile">
+            <properties>
+              <help>Reset all tunnels for given DMVPN profile</help>
+              <completionHelp>
+                <path>vpn ipsec profile</path>
+              </completionHelp>
+            </properties>
+            <children>
+              <tagNode name="tunnel">
+                <properties>
+                  <help>Reset a specific tunnel for given DMVPN profile</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="$6"</command>
+              </tagNode>
+            </children>
+            <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="all"</command>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="restart">
+    <children>
+      <node name="vpn">
+        <properties>
+          <help>Restart IPSec VPN</help>
+        </properties>
+        <command>if pgrep charon >/dev/null ; then sudo /usr/sbin/ipsec restart ; else echo "IPSec process not running" ; fi</command>
+      </node>
+    </children>
+  </node>
+  <node name="show">
+    <children>
+      <node name="vpn">
+        <properties>
+          <help>Show Virtual Private Network (VPN) information</help>
+        </properties>
+        <children>
+          <node name="debug">
+            <properties>
+              <help>Show VPN debugging information</help>
+            </properties>
+            <children>
+              <tagNode name="peer">
+                <properties>
+                  <help>Show debugging information for a peer</help>
+                </properties>
+                <children>
+                  <tagNode name="tunnel">
+                    <properties>
+                      <help>Show debugging information for a peer's tunnel</help>
+                    </properties>
+                    <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="$7"</command>
+                  </tagNode>
+                </children>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="all"</command>
+              </tagNode>
+            </children>
+            <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="all"</command>
+          </node>
+          <node name="ike">
+            <properties>
+              <help>Show Internet Key Exchange (IKE) information</help>
+            </properties>
+            <children>
+              <node name="rsa-keys">
+                <properties>
+                  <help>Show VPN RSA keys</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="rsa-key-show"</command>
+              </node>
+              <node name="sa">
+                <properties>
+                  <help>Show all currently active IKE Security Associations (SA)</help>
+                </properties>
+                <children>
+                  <node name="nat-traversal">
+                    <properties>
+                      <help>Show all currently active IKE Security Associations (SA) that are using NAT Traversal</help>
+                    </properties>
+                    <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --nat="yes"</command>
+                  </node>
+                  <tagNode name="peer">
+                    <properties>
+                      <help>Show all currently active IKE Security Associations (SA) for a peer</help>
+                    </properties>
+                    <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --peer="$6"</command>
+                  </tagNode>
+                </children>
+                <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py</command>
+              </node>
+              <node name="secrets">
+                <properties>
+                  <help>Show all the pre-shared key secrets</help>
+                </properties>
+                <command>sudo cat /etc/ipsec.secrets | sed 's/#.*//'</command>
+              </node>
+              <node name="status">
+                <properties>
+                  <help>Show summary of IKE process information</help>
+                </properties>
+                <command>if pgrep charon >/dev/null ; then echo "Running: $(pgrep charon)" ; else echo "Process is not running" ; fi</command>
+              </node>
+            </children>
+          </node>
+          <node name="ipsec">
+            <properties>
+              <help>Show Internet Protocol Security (IPSec) information</help>
+            </properties>
+            <children>
+              <node name="policy">
+                <properties>
+                  <help>Show the in-kernel crypto policies</help>
+                </properties>
+                <command>sudo ip xfrm policy list</command>
+              </node>
+              <node name="sa">
+                <properties>
+                  <help>Show all active IPSec Security Associations (SA)</help>
+                </properties>
+                <children>
+                  <!--
+                  <node name="detail">
+                    <properties>
+                      <help>Show Detail on all active IPSec Security Associations (SA)</help>
+                    </properties>
+                    <command></command>
+                  </node>
+                  <tagNode name="stats">
+                    <properties>
+                      <help>Show statistics for all currently active IPSec Security Associations (SA)</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Show Statistics for SAs associated with a specific peer</description>
+                      </valueHelp>
+                    </properties>
+                    <children>
+                      <tagNode name="tunnel">
+                        <properties>
+                          <help>Show Statistics for SAs associated with a specific peer</help>
+                        </properties>
+                        <command></command>
+                      </tagNode>
+                    </children>
+                    <command></command>
+                  </tagNode>
+                  -->
+                  <node name="verbose">
+                    <properties>
+                      <help>Show Verbose Detail on all active IPSec Security Associations (SA)</help>
+                    </properties>
+                    <command>if pgrep charon >/dev/null ; then sudo /usr/sbin/ipsec statusall ; else echo "IPSec process not running" ; fi</command>
+                  </node>
+                </children>
+                <command>if pgrep charon >/dev/null ; then sudo /usr/libexec/vyos/op_mode/show_ipsec_sa.py ; else echo "IPSec process not running" ; fi</command>
+              </node>
+              <node name="state">
+                <properties>
+                  <help>Show the in-kernel crypto state</help>
+                </properties>
+                <command>sudo ip xfrm state list</command>
+              </node>
+              <node name="status">
+                <properties>
+                  <help>Show status of IPSec process</help>
+                </properties>
+                <command>if pgrep charon >/dev/null ; then echo -e "IPSec Process Running: $(pgrep charon)\n$(sudo /usr/sbin/ipsec status)" ; else echo "IPSec process not running" ; fi</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3