1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
#!/usr/bin/env python3
#
# Copyright (C) 2018 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
import sys
import re
import os
import jinja2
import syslog as sl
import vyos.config
import vyos.defaults
from vyos import ConfigError
ra_conn_name = "remote-access"
charon_conf_file = "/etc/strongswan.d/charon.conf"
ipsec_secrets_flie = "/etc/ipsec.secrets"
ipsec_ra_conn_file = "/etc/ipsec.d/tunnels/"+ra_conn_name
ipsec_conf_flie = "/etc/ipsec.conf"
ca_cert_path = '/etc/ipsec.d/cacerts'
server_cert_path = '/etc/ipsec.d/certs'
server_key_path = '/etc/ipsec.d/private'
delim_ipsec_l2tp_begin = "### VyOS L2TP VPN Begin ###"
delim_ipsec_l2tp_end = "### VyOS L2TP VPN End ###"
l2pt_ipsec_conf = '''
{{delim_ipsec_l2tp_begin}}
include {{ipsec_ra_conn_file}}
{{delim_ipsec_l2tp_end}}
'''
l2pt_ipsec_secrets_conf = '''
{{delim_ipsec_l2tp_begin}}
{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %}
{{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}"
{% elif ipsec_l2tp_auth_mode == 'x509' %}
: RSA {{server_key_file_copied}}
{% endif%}
{{delim_ipsec_l2tp_end}}
'''
l2tp_ipsec_ra_conn_conf = '''
{{delim_ipsec_l2tp_begin}}
conn {{ra_conn_name}}
type=transport
left={{outside_addr}}
leftsubnet=%dynamic[/1701]
rightsubnet=%dynamic
mark_in=%unique
auto=add
ike=aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
dpddelay=15
dpdtimeout=45
dpdaction=clear
esp=aes256-sha1,3des-sha1!
rekey=no
{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %}
authby=secret
leftauth=psk
rightauth=psk
{% elif ipsec_l2tp_auth_mode == 'x509' %}
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
rightca=%same
leftcert={{server_cert_file_copied}}
{% endif %}
ikelifetime={{ipsec_l2tp_ike_lifetime}}
keylife={{ipsec_l2tp_lifetime}}
{{delim_ipsec_l2tp_end}}
'''
def get_config():
config = vyos.config.Config()
data = {"install_routes": "yes"}
if config.exists("vpn ipsec options disable-route-autoinstall"):
data["install_routes"] = "no"
if config.exists("vpn ipsec ipsec-interfaces interface"):
data["ipsec_interfaces"] = config.return_values("vpn ipsec ipsec-interfaces interface")
# Init config variables
data["delim_ipsec_l2tp_begin"] = delim_ipsec_l2tp_begin
data["delim_ipsec_l2tp_end"] = delim_ipsec_l2tp_end
data["ipsec_ra_conn_file"] = ipsec_ra_conn_file
data["ra_conn_name"] = ra_conn_name
# Get l2tp ipsec settings
data["ipsec_l2tp"] = False
conf_ipsec_command = "vpn l2tp remote-access ipsec-settings " #last space is useful
if config.exists(conf_ipsec_command):
data["ipsec_l2tp"] = True
# Authentication params
if config.exists(conf_ipsec_command + "authentication mode"):
data["ipsec_l2tp_auth_mode"] = config.return_value(conf_ipsec_command + "authentication mode")
if config.exists(conf_ipsec_command + "authentication pre-shared-secret"):
data["ipsec_l2tp_secret"] = config.return_value(conf_ipsec_command + "authentication pre-shared-secret")
# mode x509
if config.exists(conf_ipsec_command + "authentication x509 ca-cert-file"):
data["ipsec_l2tp_x509_ca_cert_file"] = config.return_value(conf_ipsec_command + "authentication x509 ca-cert-file")
if config.exists(conf_ipsec_command + "authentication x509 crl-file"):
data["ipsec_l2tp_x509_crl_file"] = config.return_value(conf_ipsec_command + "authentication x509 crl-file")
if config.exists(conf_ipsec_command + "authentication x509 server-cert-file"):
data["ipsec_l2tp_x509_server_cert_file"] = config.return_value(conf_ipsec_command + "authentication x509 server-cert-file")
data["server_cert_file_copied"] = server_cert_path+"/"+re.search('\w+(?:\.\w+)*$', config.return_value(conf_ipsec_command + "authentication x509 server-cert-file")).group(0)
if config.exists(conf_ipsec_command + "authentication x509 server-key-file"):
data["ipsec_l2tp_x509_server_key_file"] = config.return_value(conf_ipsec_command + "authentication x509 server-key-file")
data["server_key_file_copied"] = server_key_path+"/"+re.search('\w+(?:\.\w+)*$', config.return_value(conf_ipsec_command + "authentication x509 server-key-file")).group(0)
if config.exists(conf_ipsec_command + "authentication x509 server-key-password"):
data["ipsec_l2tp_x509_server_key_password"] = config.return_value(conf_ipsec_command + "authentication x509 server-key-password")
# Common l2tp ipsec params
if config.exists(conf_ipsec_command + "ike-lifetime"):
data["ipsec_l2tp_ike_lifetime"] = config.return_value(conf_ipsec_command + "ike-lifetime")
else:
data["ipsec_l2tp_ike_lifetime"] = "3600"
if config.exists(conf_ipsec_command + "lifetime"):
data["ipsec_l2tp_lifetime"] = config.return_value(conf_ipsec_command + "lifetime")
else:
data["ipsec_l2tp_lifetime"] = "3600"
if config.exists("vpn l2tp remote-access outside-address"):
data['outside_addr'] = config.return_value('vpn l2tp remote-access outside-address')
return data
### ipsec secret l2tp
def write_ipsec_secrets(c):
tmpl = jinja2.Template(l2pt_ipsec_secrets_conf, trim_blocks=True)
l2pt_ipsec_secrets_txt = tmpl.render(c)
old_umask = os.umask(0o077)
open(ipsec_secrets_flie,'w').write(l2pt_ipsec_secrets_txt)
os.umask(old_umask)
sl.syslog(sl.LOG_NOTICE, ipsec_secrets_flie + ' written')
### ipsec remote access connection config
def write_ipsec_ra_conn(c):
tmpl = jinja2.Template(l2tp_ipsec_ra_conn_conf, trim_blocks=True)
ipsec_ra_conn_txt = tmpl.render(c)
old_umask = os.umask(0o077)
open(ipsec_ra_conn_file,'w').write(ipsec_ra_conn_txt)
os.umask(old_umask)
sl.syslog(sl.LOG_NOTICE, ipsec_ra_conn_file + ' written')
### Remove config from file by delimiter
def remove_confs(delim_begin, delim_end, conf_file):
os.system("sed -i '/"+delim_begin+"/,/"+delim_end+"/d' "+conf_file)
### Append "include /path/to/ra_conn" to ipsec conf file
def append_ipsec_conf(c):
tmpl = jinja2.Template(l2pt_ipsec_conf, trim_blocks=True)
l2pt_ipsec_conf_txt = tmpl.render(c)
old_umask = os.umask(0o077)
open(ipsec_conf_flie,'a').write(l2pt_ipsec_conf_txt)
os.umask(old_umask)
sl.syslog(sl.LOG_NOTICE, ipsec_conf_flie + ' written')
### Checking certificate storage and notice if certificate not in /config directory
def check_cert_file_store(cert_name, file_path, dts_path):
if not re.search('^\/config\/.+', file_path):
print("Warning: \"" + file_path + "\" lies outside of /config/auth directory. It will not get preserved during image upgrade.")
#Checking file existence
if not os.path.isfile(file_path):
raise ConfigError("L2TP VPN configuration error: Invalid "+cert_name+" \""+file_path+"\"")
else:
### Cpy file to /etc/ipsec.d/certs/ /etc/ipsec.d/cacerts/
# todo make check
ret = os.system('cp -f '+file_path+' '+dts_path)
if ret:
raise ConfigError("L2TP VPN configuration error: Cannot copy "+file_path)
else:
sl.syslog(sl.LOG_NOTICE, file_path + ' copied to '+dts_path)
def verify(data):
# l2tp ipsec check
if data["ipsec_l2tp"]:
# Checking dependecies for "authentication mode pre-shared-secret"
if data.get("ipsec_l2tp_auth_mode") == "pre-shared-secret":
if not data.get("ipsec_l2tp_secret"):
raise ConfigError("pre-shared-secret required")
if not data.get("outside_addr"):
raise ConfigError("outside-address not defined")
# Checking dependecies for "authentication mode x509"
if data.get("ipsec_l2tp_auth_mode") == "x509":
if not data.get("ipsec_l2tp_x509_server_key_file"):
raise ConfigError("L2TP VPN configuration error: \"server-key-file\" not defined.")
else:
check_cert_file_store("server-key-file", data['ipsec_l2tp_x509_server_key_file'], server_key_path)
if not data.get("ipsec_l2tp_x509_server_cert_file"):
raise ConfigError("L2TP VPN configuration error: \"server-cert-file\" not defined.")
else:
check_cert_file_store("server-cert-file", data['ipsec_l2tp_x509_server_cert_file'], server_cert_path)
if not data.get("ipsec_l2tp_x509_ca_cert_file"):
raise ConfigError("L2TP VPN configuration error: \"ca-cert-file\" must be defined for X.509")
else:
check_cert_file_store("ca-cert-file", data['ipsec_l2tp_x509_ca_cert_file'], ca_cert_path)
if not data.get('ipsec_interfaces'):
raise ConfigError("L2TP VPN configuration error: \"vpn ipsec ipsec-interfaces\" must be specified.")
def generate(data):
tmpl_path = os.path.join(vyos.defaults.directories["data"], "templates", "ipsec")
fs_loader = jinja2.FileSystemLoader(tmpl_path)
env = jinja2.Environment(loader=fs_loader)
charon_conf_tmpl = env.get_template("charon.tmpl")
charon_conf = charon_conf_tmpl.render(data)
with open(charon_conf_file, 'w') as f:
f.write(charon_conf)
if data["ipsec_l2tp"]:
remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_flie)
write_ipsec_secrets(data)
write_ipsec_ra_conn(data)
append_ipsec_conf(data)
else:
remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_ra_conn_file)
remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_flie)
remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_flie)
def apply(data):
# Do nothing
# StrongSWAN should only be restarted when actual tunnels are configured
# Restart ipsec for l2tp
os.system("ipsec restart >&/dev/null")
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
sys.exit(1)
|