From 7ae0b404ad9fdefa856c7e450b224b47d854a4eb Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Tue, 17 Jan 2023 11:04:08 +0000
Subject: T4916: Rewrite IPsec peer authentication and psk migration

Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed

replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
      => 'ipsec authentication psk <tag> secret xxx'

set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'

Add template filter for Jinja2 'generate_uuid4'
---
 src/migration-scripts/ipsec/10-to-11 | 85 ++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100755 src/migration-scripts/ipsec/10-to-11

(limited to 'src/migration-scripts/ipsec')

diff --git a/src/migration-scripts/ipsec/10-to-11 b/src/migration-scripts/ipsec/10-to-11
new file mode 100755
index 000000000..ec38d0034
--- /dev/null
+++ b/src/migration-scripts/ipsec/10-to-11
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+
+if (len(argv) < 1):
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['vpn', 'ipsec']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+# PEER changes
+if config.exists(base + ['site-to-site', 'peer']):
+    for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+        peer_base = base + ['site-to-site', 'peer', peer]
+
+        # replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
+        #       => 'ipsec authentication psk <tag> secret xxx'
+        if config.exists(peer_base + ['authentication', 'pre-shared-secret']):
+            tmp = config.return_value(peer_base + ['authentication', 'pre-shared-secret'])
+            config.delete(peer_base + ['authentication', 'pre-shared-secret'])
+            config.set(base + ['authentication', 'psk', peer, 'secret'], value=tmp)
+            # format as tag node to avoid loading problems
+            config.set_tag(base + ['authentication', 'psk'])
+
+            # Get id's from peers for "ipsec auth psk <tag> id xxx"
+            if config.exists(peer_base + ['authentication', 'local-id']):
+                local_id = config.return_value(peer_base + ['authentication', 'local-id'])
+                config.set(base + ['authentication', 'psk', peer, 'id'], value=local_id, replace=False)
+            if config.exists(peer_base + ['authentication', 'remote-id']):
+                remote_id = config.return_value(peer_base + ['authentication', 'remote-id'])
+                config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_id, replace=False)
+
+            if config.exists(peer_base + ['local-address']):
+                tmp = config.return_value(peer_base + ['local-address'])
+                config.set(base + ['authentication', 'psk', peer, 'id'], value=tmp, replace=False)
+            if config.exists(peer_base + ['remote-address']):
+                tmp = config.return_value(peer_base + ['remote-address'])
+                if tmp:
+                    for remote_addr in tmp:
+                        if remote_addr == 'any':
+                            remote_addr = '%any'
+                        config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_addr, replace=False)
+
+            # get DHCP peer interface as psk dhcp-interface
+            if config.exists(peer_base + ['dhcp-interface']):
+                tmp = config.return_value(peer_base + ['dhcp-interface'])
+                config.set(base + ['authentication', 'psk', peer, 'dhcp-interface'], value=tmp)
+
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)
-- 
cgit v1.2.3