Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
T4916: Rewrite IPsec peer authentication and psk migration
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
- Loading branch information
1 parent
e59fe7c
commit ca8cc37
Showing
6 changed files
with
171 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
<!-- include start from include/version/ipsec-version.xml.i --> | ||
<syntaxVersion component='ipsec' version='10'></syntaxVersion> | ||
<syntaxVersion component='ipsec' version='11'></syntaxVersion> | ||
<!-- include end --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
#!/usr/bin/env python3 | ||
# | ||
# Copyright (C) 2023 VyOS maintainers and contributors | ||
# | ||
# This program is free software; you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License version 2 or later as | ||
# published by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
import re | ||
|
||
from sys import argv | ||
from sys import exit | ||
|
||
from vyos.configtree import ConfigTree | ||
|
||
|
||
if (len(argv) < 1): | ||
print("Must specify file name!") | ||
exit(1) | ||
|
||
file_name = argv[1] | ||
|
||
with open(file_name, 'r') as f: | ||
config_file = f.read() | ||
|
||
base = ['vpn', 'ipsec'] | ||
config = ConfigTree(config_file) | ||
|
||
if not config.exists(base): | ||
# Nothing to do | ||
exit(0) | ||
|
||
# PEER changes | ||
if config.exists(base + ['site-to-site', 'peer']): | ||
for peer in config.list_nodes(base + ['site-to-site', 'peer']): | ||
peer_base = base + ['site-to-site', 'peer', peer] | ||
|
||
# replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' | ||
# => 'ipsec authentication psk <tag> secret xxx' | ||
if config.exists(peer_base + ['authentication', 'pre-shared-secret']): | ||
tmp = config.return_value(peer_base + ['authentication', 'pre-shared-secret']) | ||
config.delete(peer_base + ['authentication', 'pre-shared-secret']) | ||
config.set(base + ['authentication', 'psk', peer, 'secret'], value=tmp) | ||
|
||
# Get id's from peers for "ipsec auth psk <tag> id xxx" | ||
if config.exists(peer_base + ['authentication', 'local-id']): | ||
local_id = config.return_value(peer_base + ['authentication', 'local-id']) | ||
config.set(base + ['authentication', 'psk', peer, 'id'], value=local_id, replace=False) | ||
if config.exists(peer_base + ['authentication', 'remote-id']): | ||
remote_id = config.return_value(peer_base + ['authentication', 'remote-id']) | ||
config.set(base + ['authentication', 'psk', peer, 'id'], value=remote_id, replace=False) | ||
|
||
if config.exists(peer_base + ['local-address']): | ||
tmp = config.return_value(peer_base + ['local-address']) | ||
config.set(base + ['authentication', 'psk', peer, 'id'], value=tmp, replace=False) | ||
if config.exists(peer_base + ['remote-address']): | ||
tmp = config.return_value(peer_base + ['remote-address']) | ||
config.set(base + ['authentication', 'psk', peer, 'id'], value=tmp, replace=False) | ||
|
||
|
||
try: | ||
with open(file_name, 'w') as f: | ||
f.write(config.to_string()) | ||
except OSError as e: | ||
print(f'Failed to save the modified config: {e}') | ||
exit(1) |