T6732: added same as vyos 1x

9 files changed, 634 insertions, 0 deletions

diff --git a/src/migration-scripts/ipsec/10-to-11 b/src/migration-scripts/ipsec/10-to-11
new file mode 100644
index 0000000..6c4ccb5
--- /dev/null
+++ b/src/migration-scripts/ipsec/10-to-11
@@ -0,0 +1,63 @@
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4916: Rewrite IPsec peer authentication and psk migration
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    # PEER changes
+    if config.exists(base + ['site-to-site', 'peer']):
+        for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+            peer_base = base + ['site-to-site', 'peer', peer]
+
+            # replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
+            #       => 'ipsec authentication psk <tag> secret xxx'
+            if config.exists(peer_base + ['authentication', 'pre-shared-secret']):
+                tmp = config.return_value(peer_base + ['authentication', 'pre-shared-secret'])
+                config.delete(peer_base + ['authentication', 'pre-shared-secret'])
+                config.set(base + ['authentication', 'psk', peer, 'secret'], value=tmp)
+                # format as tag node to avoid loading problems
+                config.set_tag(base + ['authentication', 'psk'])
+
+                # Get id's from peers for "ipsec auth psk <tag> id xxx"
+                if config.exists(peer_base + ['authentication', 'local-id']):
+                    local_id = config.return_value(peer_base + ['authentication', 'local-id'])
+                    config.set(base + ['authentication', 'psk', peer, 'id'], value=local_id, replace=False)
+                if config.exists(peer_base + ['authentication', 'remote-id']):
+                    remote_id = config.return_value(peer_base + ['authentication', 'remote-id'])
+                    config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_id, replace=False)
+
+                if config.exists(peer_base + ['local-address']):
+                    tmp = config.return_value(peer_base + ['local-address'])
+                    config.set(base + ['authentication', 'psk', peer, 'id'], value=tmp, replace=False)
+                if config.exists(peer_base + ['remote-address']):
+                    tmp = config.return_values(peer_base + ['remote-address'])
+                    if tmp:
+                        for remote_addr in tmp:
+                            if remote_addr == 'any':
+                                remote_addr = '%any'
+                            config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_addr, replace=False)
+
+                # get DHCP peer interface as psk dhcp-interface
+                if config.exists(peer_base + ['dhcp-interface']):
+                    tmp = config.return_value(peer_base + ['dhcp-interface'])
+                    config.set(base + ['authentication', 'psk', peer, 'dhcp-interface'], value=tmp)
diff --git a/src/migration-scripts/ipsec/11-to-12 b/src/migration-scripts/ipsec/11-to-12
new file mode 100644
index 0000000..fc65f18
--- /dev/null
+++ b/src/migration-scripts/ipsec/11-to-12
@@ -0,0 +1,31 @@
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Remove legacy ipsec.conf and ipsec.secrets - Not supported with swanctl
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    if config.exists(base + ['include-ipsec-conf']):
+        config.delete(base + ['include-ipsec-conf'])
+
+    if config.exists(base + ['include-ipsec-secrets']):
+        config.delete(base + ['include-ipsec-secrets'])
diff --git a/src/migration-scripts/ipsec/12-to-13 b/src/migration-scripts/ipsec/12-to-13
new file mode 100644
index 0000000..ffe766e
--- /dev/null
+++ b/src/migration-scripts/ipsec/12-to-13
@@ -0,0 +1,37 @@
+# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Changed value of dead-peer-detection.action from hold to trap
+# Changed value of close-action from hold to trap and from restart to start
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec', 'ike-group']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    for ike_group in config.list_nodes(base):
+        base_dpd_action = base + [ike_group, 'dead-peer-detection', 'action']
+        base_close_action = base + [ike_group, 'close-action']
+        if config.exists(base_dpd_action) and config.return_value(base_dpd_action) == 'hold':
+            config.set(base_dpd_action, 'trap', replace=True)
+        if config.exists(base_close_action):
+            if config.return_value(base_close_action) == 'hold':
+                config.set(base_close_action, 'trap', replace=True)
+            if config.return_value(base_close_action) == 'restart':
+                config.set(base_close_action, 'start', replace=True)
diff --git a/src/migration-scripts/ipsec/4-to-5 b/src/migration-scripts/ipsec/4-to-5
new file mode 100644
index 0000000..a88a543
--- /dev/null
+++ b/src/migration-scripts/ipsec/4-to-5
@@ -0,0 +1,28 @@
+# Copyright 2019-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# log-modes have changed, keyword  all to any
+
+from vyos.configtree import ConfigTree
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(['vpn', 'ipsec', 'logging','log-modes']):
+        # Nothing to do
+        return
+
+    lmodes = config.return_values(['vpn', 'ipsec', 'logging','log-modes'])
+    for mode in lmodes:
+        if mode == 'all':
+            config.set(['vpn', 'ipsec', 'logging','log-modes'], value='any', replace=True)
diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6
new file mode 100644
index 0000000..373428d
--- /dev/null
+++ b/src/migration-scripts/ipsec/5-to-6
@@ -0,0 +1,73 @@
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Remove deprecated strongSwan options from VyOS CLI
+# - vpn ipsec nat-traversal enable
+# - vpn ipsec nat-networks allowed-network
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    # Delete CLI nodes whose config options got removed by strongSwan
+    for cli_node in ['nat-traversal', 'nat-networks']:
+        if config.exists(base + [cli_node]):
+            config.delete(base + [cli_node])
+
+    # Remove options only valid in Openswan
+    if config.exists(base + ['site-to-site', 'peer']):
+        for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+            if not config.exists(base + ['site-to-site', 'peer', peer, 'tunnel']):
+                continue
+            for tunnel in config.list_nodes(base + ['site-to-site', 'peer', peer, 'tunnel']):
+                # allow-public-networks - Sets a value in ipsec.conf that was only ever valid in Openswan on kernel 2.6
+                nat_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-nat-networks']
+                if config.exists(nat_networks):
+                    config.delete(nat_networks)
+
+                # allow-nat-networks - Also sets a value only valid in Openswan
+                public_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-public-networks']
+                if config.exists(public_networks):
+                    config.delete(public_networks)
+
+    # Rename "logging log-level" and "logging log-modes" to something more human friendly
+    log = base + ['logging']
+    if config.exists(log):
+        config.rename(log, 'log')
+        log = base + ['log']
+
+    log_level = log + ['log-level']
+    if config.exists(log_level):
+        config.rename(log_level, 'level')
+
+    log_mode = log + ['log-modes']
+    if config.exists(log_mode):
+        config.rename(log_mode, 'subsystem')
+
+    # Rename "ipsec-interfaces interface" to "interface"
+    base_interfaces = base + ['ipsec-interfaces', 'interface']
+    if config.exists(base_interfaces):
+        config.copy(base_interfaces, base + ['interface'])
+        config.delete(base + ['ipsec-interfaces'])
+
+    # Remove deprecated "auto-update" option
+    tmp = base + ['auto-update']
+    if config.exists(tmp):
+        config.delete(tmp)
diff --git a/src/migration-scripts/ipsec/6-to-7 b/src/migration-scripts/ipsec/6-to-7
new file mode 100644
index 0000000..5679477
--- /dev/null
+++ b/src/migration-scripts/ipsec/6-to-7
@@ -0,0 +1,155 @@
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Migrate /config/auth certificates and keys into PKI configuration
+
+import os
+
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+from vyos.utils.process import run
+
+pki_base = ['pki']
+ipsec_site_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
+
+AUTH_DIR = '/config/auth'
+
+def wrapped_pem_to_config_value(pem):
+    return "".join(pem.strip().split("\n")[1:-1])
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(ipsec_site_base):
+        return
+
+    migration_needed = False
+    for peer in config.list_nodes(ipsec_site_base):
+        if config.exists(ipsec_site_base + [peer, 'authentication', 'x509']):
+            migration_needed = True
+            break
+
+    if not migration_needed:
+        return
+
+    config.set(pki_base + ['ca'])
+    config.set_tag(pki_base + ['ca'])
+
+    config.set(pki_base + ['certificate'])
+    config.set_tag(pki_base + ['certificate'])
+
+    for peer in config.list_nodes(ipsec_site_base):
+        if not config.exists(ipsec_site_base + [peer, 'authentication', 'x509']):
+            continue
+
+        peer_x509_base = ipsec_site_base + [peer, 'authentication', 'x509']
+        pki_name = 'peer_' + peer.replace(".", "-").replace("@", "")
+
+        if config.exists(peer_x509_base + ['cert-file']):
+            cert_file = config.return_value(peer_x509_base + ['cert-file'])
+            cert_path = os.path.join(AUTH_DIR, cert_file)
+            cert = None
+
+            if os.path.isfile(cert_path):
+                if not os.access(cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {cert_path}')
+
+                with open(cert_path, 'r') as f:
+                    cert_data = f.read()
+                    cert = load_certificate(cert_data, wrap_tags=False)
+
+            if cert:
+                cert_pem = encode_certificate(cert)
+                config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+                config.set(peer_x509_base + ['certificate'], value=pki_name)
+            else:
+                print(f'Failed to migrate certificate on peer "{peer}"')
+
+            config.delete(peer_x509_base + ['cert-file'])
+
+        if config.exists(peer_x509_base + ['ca-cert-file']):
+            ca_cert_file = config.return_value(peer_x509_base + ['ca-cert-file'])
+            ca_cert_path = os.path.join(AUTH_DIR, ca_cert_file)
+            ca_cert = None
+
+            if os.path.isfile(ca_cert_path):
+                if not os.access(ca_cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {ca_cert_path}')
+
+                with open(ca_cert_path, 'r') as f:
+                    ca_cert_data = f.read()
+                    ca_cert = load_certificate(ca_cert_data, wrap_tags=False)
+
+            if ca_cert:
+                ca_cert_pem = encode_certificate(ca_cert)
+                config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(ca_cert_pem))
+                config.set(peer_x509_base + ['ca-certificate'], value=pki_name)
+            else:
+                print(f'Failed to migrate CA certificate on peer "{peer}"')
+
+            config.delete(peer_x509_base + ['ca-cert-file'])
+
+        if config.exists(peer_x509_base + ['crl-file']):
+            crl_file = config.return_value(peer_x509_base + ['crl-file'])
+            crl_path = os.path.join(AUTH_DIR, crl_file)
+            crl = None
+
+            if os.path.isfile(crl_path):
+                if not os.access(crl_path, os.R_OK):
+                    run(f'sudo chmod 644 {crl_path}')
+
+                with open(crl_path, 'r') as f:
+                    crl_data = f.read()
+                    crl = load_crl(crl_data, wrap_tags=False)
+
+            if crl:
+                crl_pem = encode_certificate(crl)
+                config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem))
+            else:
+                print(f'Failed to migrate CRL on peer "{peer}"')
+
+            config.delete(peer_x509_base + ['crl-file'])
+
+        if config.exists(peer_x509_base + ['key', 'file']):
+            key_file = config.return_value(peer_x509_base + ['key', 'file'])
+            key_passphrase = None
+
+            if config.exists(peer_x509_base + ['key', 'password']):
+                key_passphrase = config.return_value(peer_x509_base + ['key', 'password'])
+
+            key_path = os.path.join(AUTH_DIR, key_file)
+            key = None
+
+            if os.path.isfile(key_path):
+                if not os.access(key_path, os.R_OK):
+                    run(f'sudo chmod 644 {key_path}')
+
+                with open(key_path, 'r') as f:
+                    key_data = f.read()
+                    key = load_private_key(key_data, passphrase=key_passphrase, wrap_tags=False)
+
+            if key:
+                key_pem = encode_private_key(key, passphrase=key_passphrase)
+                config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+
+                if key_passphrase:
+                    config.set(pki_base + ['certificate', pki_name, 'private', 'password-protected'])
+                    config.set(peer_x509_base + ['private-key-passphrase'], value=key_passphrase)
+            else:
+                print(f'Failed to migrate private key on peer "{peer}"')
+
+            config.delete(peer_x509_base + ['key'])
diff --git a/src/migration-scripts/ipsec/7-to-8 b/src/migration-scripts/ipsec/7-to-8
new file mode 100644
index 0000000..481f00d
--- /dev/null
+++ b/src/migration-scripts/ipsec/7-to-8
@@ -0,0 +1,103 @@
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Migrate rsa keys into PKI configuration
+
+import base64
+import os
+import struct
+
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from vyos.configtree import ConfigTree
+from vyos.pki import load_private_key
+from vyos.pki import encode_public_key
+from vyos.pki import encode_private_key
+
+pki_base = ['pki']
+ipsec_site_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
+rsa_keys_base = ['vpn', 'rsa-keys']
+
+LOCAL_KEY_PATHS = ['/config/auth/', '/config/ipsec.d/rsa-keys/']
+
+def migrate_from_vyatta_key(data):
+    data = base64.b64decode(data[2:])
+    length = struct.unpack('B', data[:1])[0]
+    e = int.from_bytes(data[1:1+length], 'big')
+    n = int.from_bytes(data[1+length:], 'big')
+    public_numbers = rsa.RSAPublicNumbers(e, n)
+    return public_numbers.public_key()
+
+def wrapped_pem_to_config_value(pem):
+    return "".join(pem.strip().split("\n")[1:-1])
+
+local_key_name = 'localhost'
+
+def migrate(config: ConfigTree) -> None:
+    if config.exists(rsa_keys_base):
+        if not config.exists(pki_base + ['key-pair']):
+            config.set(pki_base + ['key-pair'])
+            config.set_tag(pki_base + ['key-pair'])
+
+        if config.exists(rsa_keys_base + ['local-key', 'file']):
+            local_file = config.return_value(rsa_keys_base + ['local-key', 'file'])
+            local_path = None
+            local_key = None
+
+            for path in LOCAL_KEY_PATHS:
+                full_path = os.path.join(path, local_file)
+                if os.path.exists(full_path):
+                    local_path = full_path
+                    break
+
+            if local_path:
+                with open(local_path, 'r') as f:
+                    local_key_data = f.read()
+                    local_key = load_private_key(local_key_data, wrap_tags=False)
+
+            if local_key:
+                local_key_pem = encode_private_key(local_key)
+                config.set(pki_base + ['key-pair', local_key_name, 'private', 'key'], value=wrapped_pem_to_config_value(local_key_pem))
+            else:
+                print('Failed to migrate local RSA key')
+
+        if config.exists(rsa_keys_base + ['rsa-key-name']):
+            for rsa_name in config.list_nodes(rsa_keys_base + ['rsa-key-name']):
+                if not config.exists(rsa_keys_base + ['rsa-key-name', rsa_name, 'rsa-key']):
+                    continue
+
+                vyatta_key = config.return_value(rsa_keys_base + ['rsa-key-name', rsa_name, 'rsa-key'])
+                public_key = migrate_from_vyatta_key(vyatta_key)
+
+                if public_key:
+                    public_key_pem = encode_public_key(public_key)
+                    config.set(pki_base + ['key-pair', rsa_name, 'public', 'key'], value=wrapped_pem_to_config_value(public_key_pem))
+                else:
+                    print(f'Failed to migrate rsa-key "{rsa_name}"')
+
+        config.delete(rsa_keys_base)
+
+    if config.exists(ipsec_site_base):
+        for peer in config.list_nodes(ipsec_site_base):
+            mode = config.return_value(ipsec_site_base + [peer, 'authentication', 'mode'])
+
+            if mode != 'rsa':
+                continue
+
+            config.set(ipsec_site_base + [peer, 'authentication', 'rsa', 'local-key'], value=local_key_name)
+
+            remote_key_name = config.return_value(ipsec_site_base + [peer, 'authentication', 'rsa-key-name'])
+            config.set(ipsec_site_base + [peer, 'authentication', 'rsa', 'remote-key'], value=remote_key_name)
+            config.delete(ipsec_site_base + [peer, 'authentication', 'rsa-key-name'])
diff --git a/src/migration-scripts/ipsec/8-to-9 b/src/migration-scripts/ipsec/8-to-9
new file mode 100644
index 0000000..7f32513
--- /dev/null
+++ b/src/migration-scripts/ipsec/8-to-9
@@ -0,0 +1,30 @@
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4288 : close-action is missing in swanctl.conf
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec', 'ike-group']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    for ike_group in config.list_nodes(base):
+        base_closeaction = base + [ike_group, 'close-action']
+        if config.exists(base_closeaction) and config.return_value(base_closeaction) == 'clear':
+            config.set(base_closeaction, 'none', replace=True)
diff --git a/src/migration-scripts/ipsec/9-to-10 b/src/migration-scripts/ipsec/9-to-10
new file mode 100644
index 0000000..321a759
--- /dev/null
+++ b/src/migration-scripts/ipsec/9-to-10
@@ -0,0 +1,114 @@
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4118: Change vpn ipsec syntax for IKE ESP and peer
+# T4879: IPsec migration script remote-id for peer name eq address
+
+import re
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    # IKE changes, T4118:
+    if config.exists(base + ['ike-group']):
+        for ike_group in config.list_nodes(base + ['ike-group']):
+            # replace 'ipsec ike-group <tag> mobike disable'
+            #      => 'ipsec ike-group <tag> disable-mobike'
+            mobike = base + ['ike-group', ike_group, 'mobike']
+            if config.exists(mobike):
+                if config.return_value(mobike) == 'disable':
+                    config.set(base + ['ike-group', ike_group, 'disable-mobike'])
+                config.delete(mobike)
+
+            # replace 'ipsec ike-group <tag> ikev2-reauth yes'
+            #      => 'ipsec ike-group <tag> ikev2-reauth'
+            reauth = base + ['ike-group', ike_group, 'ikev2-reauth']
+            if config.exists(reauth):
+                if config.return_value(reauth) == 'yes':
+                    config.delete(reauth)
+                    config.set(reauth)
+                else:
+                    config.delete(reauth)
+
+    # ESP changes
+    # replace 'ipsec esp-group <tag> compression enable'
+    #      => 'ipsec esp-group <tag> compression'
+    if config.exists(base + ['esp-group']):
+        for esp_group in config.list_nodes(base + ['esp-group']):
+            compression = base + ['esp-group', esp_group, 'compression']
+            if config.exists(compression):
+                if config.return_value(compression) == 'enable':
+                    config.delete(compression)
+                    config.set(compression)
+                else:
+                    config.delete(compression)
+
+    # PEER changes
+    if config.exists(base + ['site-to-site', 'peer']):
+        for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+            peer_base = base + ['site-to-site', 'peer', peer]
+
+            # replace: 'peer <tag> id x'
+            #       => 'peer <tag> local-id x'
+            if config.exists(peer_base + ['authentication', 'id']):
+                config.rename(peer_base + ['authentication', 'id'], 'local-id')
+
+            # For the peer '@foo' set remote-id 'foo' if remote-id is not defined
+            # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
+            if not config.exists(peer_base + ['authentication', 'remote-id']):
+                tmp = peer.replace('@', '') if peer.startswith('@') else peer
+                config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
+
+            # replace: 'peer <tag> force-encapsulation enable'
+            #       => 'peer <tag> force-udp-encapsulation'
+            force_enc = peer_base + ['force-encapsulation']
+            if config.exists(force_enc):
+                if config.return_value(force_enc) == 'enable':
+                    config.delete(force_enc)
+                    config.set(peer_base + ['force-udp-encapsulation'])
+                else:
+                    config.delete(force_enc)
+
+            # add option: 'peer <tag> remote-address x.x.x.x'
+            remote_address = peer
+            if peer.startswith('@'):
+                remote_address = 'any'
+            config.set(peer_base + ['remote-address'], value=remote_address)
+            # Peer name it is swanctl connection name and shouldn't contain dots or colons
+            # rename peer:
+            #   peer 192.0.2.1   => peer peer_192-0-2-1
+            #   peer 2001:db8::2 => peer peer_2001-db8--2
+            #   peer @foo        => peer peer_foo
+            re_peer_name = re.sub(':|\.', '-', peer)
+            if re_peer_name.startswith('@'):
+                re_peer_name = re.sub('@', '', re_peer_name)
+            new_peer_name = f'peer_{re_peer_name}'
+
+            config.rename(peer_base, new_peer_name)
+
+    # remote-access/road-warrior changes
+    if config.exists(base + ['remote-access', 'connection']):
+        for connection in config.list_nodes(base + ['remote-access', 'connection']):
+            ra_base = base + ['remote-access', 'connection', connection]
+            # replace: 'remote-access connection <tag> authentication id x'
+            #       => 'remote-access connection <tag> authentication local-id x'
+            if config.exists(ra_base + ['authentication', 'id']):
+                config.rename(ra_base + ['authentication', 'id'], 'local-id')