Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T4916: Rewrite IPsec peer authentication and psk migration #1757

Closed
wants to merge 32 commits into from

Conversation

sever-sever
Copy link
Member

@sever-sever sever-sever commented Jan 12, 2023

Change Summary

Rewrite strongswan IPsec site-to-site authentication to reflect structure from swanctl.conf
The most important change is that more than one local/remote ID in the same auth entry should be allowed.

replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
      => 'ipsec authentication psk <tag> secret xxx'

One of the use cases is the capability with cisco Flex

Related PR

vyos/vyatta-cfg-system#195

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe): Migration ipsec auth

Related Task(s)

Component(s) name

ipsec

Proposed changes

How to test

VyOS configuration:

set vpn ipsec authentication psk bar id '192.0.2.1'
set vpn ipsec authentication psk bar id '192.0.2.3'
set vpn ipsec authentication psk bar id '192.0.2.1.local.peer-b'
set vpn ipsec authentication psk bar id '192.0.2.2.peer-b'
set vpn ipsec authentication psk bar secret 'SecretBar'
set vpn ipsec authentication psk baz id 'fsdfdf'
set vpn ipsec authentication psk baz secret 'bazdfwefsecrettt'

set vpn ipsec esp-group ESP-group-b lifetime '1800'
set vpn ipsec esp-group ESP-group-b mode 'tunnel'
set vpn ipsec esp-group ESP-group-b pfs 'enable'
set vpn ipsec esp-group ESP-group-b proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-group-b proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group-b key-exchange 'ikev1'
set vpn ipsec ike-group IKE-group-b lifetime '3600'
set vpn ipsec ike-group IKE-group-b proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-group-b proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group-b proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'

set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1.local.peer-b'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2.peer-b'

set vpn ipsec site-to-site peer OFFICE-B connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group-b'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group-b'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'

swanctl.conf

vyos@r1# cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    OFFICE-B {
        proposals = aes256-sha256-modp2048
        version = 1
        local_addrs = 192.0.2.1 # dhcp:no
        remote_addrs = 192.0.2.2
        dpd_timeout = 120
        dpd_delay = 30
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            id = "192.0.2.1.local.peer-b"
            auth = psk
        }
        remote {
            id = "192.0.2.2.peer-b"
            auth = psk
        }
        children {
            OFFICE-B-tunnel-0 {
                esp_proposals = aes128-sha1-modp2048
                life_time = 1800s
                local_ts = 192.168.0.0/24
                remote_ts = 10.0.0.0/21
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = 
                close_action = 
            }
        }
    }

}

pools {
}

secrets {
    ike-bar {
        # ID's from auth psk <tag> id xxx
        id-192-0-2-1 = 192.0.2.1
        id-192-0-2-3 = 192.0.2.3
        id-192-0-2-1-local-peer-b = 192.0.2.1.local.peer-b
        id-192-0-2-2-peer-b = 192.0.2.2.peer-b
        secret = "SecretBar"
    }
    ike-baz {
        # ID's from auth psk <tag> id xxx
        id-fsdfdf = fsdfdf
        secret = "bazdfwefsecrettt"
    }

}

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@c-po c-po requested review from a team, dmbaturin, sarthurdev, zdc, jestabro and c-po and removed request for a team January 12, 2023 19:09
@sever-sever sever-sever marked this pull request as draft January 12, 2023 19:24
vfreex and others added 15 commits January 17, 2023 10:14
`passive_interface` is a leaf node. Also adds a smoketest.
We get incorrect data when shows connections
As we get list of all connections we should compare the connection
name with entries in list and set correct data if they match
Encapsulating the add/delete image commands in the op-mode script allows
automatic generation of corresponding API schema definitions.
Changed restart to reload-or-restart in commit.
It allows to reload the config and not restart webporxy service
during commit.
`show interfaces ethernet eth0` and `show interface bonding eth0`
produces the same output. While this is not a big problem it does
make usage a bit odd sometimes.

This commit adds the --intf_type option to all instances of
interfaces.py to make output consistent.
Setting something like `protocols ospf area 10 range 10.10.0.0/16` without sub options doesn't work. This is because no range commands are generated when there is no leaf nodes set under the `range` tag node.

```
edit protocols ospf
set area 16 network 10.10.0.0/16
set area 16 range 10.10.0.0/16
commit
```

```
$ vtysh -c 'show run'
!
router ospf
 auto-cost reference-bandwidth 100
 timers throttle spf 200 1000 10000
 network 10.10.0.0/16 area 16
exit
```

The generated FRR commands above is missing something like:

```
 area 16 range 10.10.0.0/16
```
sever-sever and others added 17 commits January 17, 2023 10:14
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote

Set XML default value in use it in the python vpn_ipsec.py script
In the past we could simply set all bits for all CPUs even if they did not
exist. With 6.1.y Kernel series this is no longer possible and the input data
is validated against the available number of CPUs.
Fix ValueError: Unknown format code 'x' for object of type 'str' added in
commit c0ffb8b ("ethernet: rps: T4928: adjust to Kernel ABI changes").
Commit 1fc7e30 ('T4935: ospfv3: "not-advertise" and "advertise" conflict')
added a check for not-advertive and advertise in the same area but lacked a
test if the key really exists in the dict which is to be validated.
This fixes commit 20f448d ("T4934: ospf: Fix inter-area route summarization")
where an assert was present for a CLI option that was missing to be set
causing tests to fail.
Improves test runtime as interfaces are not created/deleted on every
test case.
This fixes commit 20f448d ("T4934: ospf: Fix inter-area route summarization")
where an assert was present for a CLI option that was missing to be set
causing tests to fail.
Commit e28b10c ("smoketest: dhcpv6-relay: use setUpClass() over setUp()")
introduced a TypeError:

   TypeError: cli_set() missing 1 required positional argument: 'config'

This has been fixed.
This prevents any stale override files when the system is beeing rebooted,
but the actual configuration was not saved. /run is a tmpfs and thus
always fresh after boot.
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed

replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
      => 'ipsec authentication psk <tag> secret xxx'

set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
@sever-sever
Copy link
Member Author

close PR
the actual PR #1761

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
7 participants