#!/usr/bin/env python3 # # Copyright (C) 2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . import re from sys import argv from sys import exit from vyos.configtree import ConfigTree from vyos.template import is_ipv4 from vyos.template import is_ipv6 if (len(argv) < 1): print("Must specify file name!") exit(1) file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() base = ['vpn', 'ipsec'] config = ConfigTree(config_file) if not config.exists(base): # Nothing to do exit(0) # IKE changes, T4118: if config.exists(base + ['ike-group']): for ike_group in config.list_nodes(base + ['ike-group']): # replace 'ipsec ike-group mobike disable' # => 'ipsec ike-group disable-mobike' mobike = base + ['ike-group', ike_group, 'mobike'] if config.exists(mobike): if config.return_value(mobike) == 'disable': config.set(base + ['ike-group', ike_group, 'disable-mobike']) config.delete(mobike) # replace 'ipsec ike-group ikev2-reauth yes' # => 'ipsec ike-group ikev2-reauth' reauth = base + ['ike-group', ike_group, 'ikev2-reauth'] if config.exists(reauth): if config.return_value(reauth) == 'yes': config.delete(reauth) config.set(reauth) else: config.delete(reauth) # ESP changes # replace 'ipsec esp-group compression enable' # => 'ipsec esp-group compression' if config.exists(base + ['esp-group']): for esp_group in config.list_nodes(base + ['esp-group']): compression = base + ['esp-group', esp_group, 'compression'] if config.exists(compression): if config.return_value(compression) == 'enable': config.delete(compression) config.set(compression) else: config.delete(compression) # PEER changes if config.exists(base + ['site-to-site', 'peer']): for peer in config.list_nodes(base + ['site-to-site', 'peer']): # replace: 'peer id x' # => 'peer local-id x' if config.exists(base + ['site-to-site', 'peer', peer, 'authentication', 'id']): config.rename(base + ['site-to-site', 'peer', peer, 'authentication', 'id'], 'local-id') # For the peer '@foo' set remote-id 'foo' if remote-id is not defined if peer.startswith('@'): if not config.exists(base + ['site-to-site', 'peer', peer, 'authentication', 'remote-id']): tmp = peer.replace('@', '') config.set(base + ['site-to-site', 'peer', peer, 'authentication', 'remote-id'], value=tmp) # replace: 'peer force-encapsulation enable' # => 'peer force-udp-encapsulation' force_enc = base + ['site-to-site', 'peer', peer, 'force-encapsulation'] if config.exists(force_enc): if config.return_value(force_enc) == 'enable': config.delete(force_enc) config.set(base + ['site-to-site', 'peer', peer, 'force-udp-encapsulation']) else: config.delete(force_enc) # add option: 'peer remote-address x.x.x.x' remote_address = peer if peer.startswith('@'): remote_address = 'any' config.set(base + ['site-to-site', 'peer', peer, 'remote-address'], value=remote_address) # Peer name it is swanctl connection name and shouldn't contain dots or colons # rename peer: # peer 192.0.2.1 => peer peer_192-0-2-1 # peer 2001:db8::2 => peer peer_2001-db8--2 # peer @foo => peer peer_foo re_peer_name = re.sub(':|\.', '-', peer) if re_peer_name.startswith('@'): re_peer_name = re.sub('@', '', re_peer_name) new_peer_name = f'peer_{re_peer_name}' config.rename(base + ['site-to-site', 'peer', peer], new_peer_name) try: with open(file_name, 'w') as f: f.write(config.to_string()) except OSError as e: print(f'Failed to save the modified config: {e}') exit(1)