New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
T4916: Rewrite IPsec peer authentication and psk migration #1757
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c-po
requested review from
a team,
dmbaturin,
sarthurdev,
zdc,
jestabro and
c-po
and removed request for
a team
January 12, 2023 19:09
sever-sever
force-pushed
the
T4916
branch
5 times, most recently
from
January 17, 2023 09:10
06464f6
to
3f7ddd9
Compare
`passive_interface` is a leaf node. Also adds a smoketest.
This reverts commit 6857447.
This reverts commit 36d16f5.
We get incorrect data when shows connections As we get list of all connections we should compare the connection name with entries in list and set correct data if they match
Encapsulating the add/delete image commands in the op-mode script allows automatic generation of corresponding API schema definitions.
Changed restart to reload-or-restart in commit. It allows to reload the config and not restart webporxy service during commit.
`show interfaces ethernet eth0` and `show interface bonding eth0` produces the same output. While this is not a big problem it does make usage a bit odd sometimes. This commit adds the --intf_type option to all instances of interfaces.py to make output consistent.
They can't be set at the same time.
in vyos.util.colon_separated_to_dict
Setting something like `protocols ospf area 10 range 10.10.0.0/16` without sub options doesn't work. This is because no range commands are generated when there is no leaf nodes set under the `range` tag node. ``` edit protocols ospf set area 16 network 10.10.0.0/16 set area 16 range 10.10.0.0/16 commit ``` ``` $ vtysh -c 'show run' ! router ospf auto-cost reference-bandwidth 100 timers throttle spf 200 1000 10000 network 10.10.0.0/16 area 16 exit ``` The generated FRR commands above is missing something like: ``` area 16 range 10.10.0.0/16 ```
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
In the past we could simply set all bits for all CPUs even if they did not exist. With 6.1.y Kernel series this is no longer possible and the input data is validated against the available number of CPUs.
Fix ValueError: Unknown format code 'x' for object of type 'str' added in commit c0ffb8b ("ethernet: rps: T4928: adjust to Kernel ABI changes").
Commit 1fc7e30 ('T4935: ospfv3: "not-advertise" and "advertise" conflict') added a check for not-advertive and advertise in the same area but lacked a test if the key really exists in the dict which is to be validated.
This fixes commit 20f448d ("T4934: ospf: Fix inter-area route summarization") where an assert was present for a CLI option that was missing to be set causing tests to fail.
Improves test runtime as interfaces are not created/deleted on every test case.
This fixes commit 20f448d ("T4934: ospf: Fix inter-area route summarization") where an assert was present for a CLI option that was missing to be set causing tests to fail.
Commit e28b10c ("smoketest: dhcpv6-relay: use setUpClass() over setUp()") introduced a TypeError: TypeError: cli_set() missing 1 required positional argument: 'config' This has been fixed.
This prevents any stale override files when the system is beeing rebooted, but the actual configuration was not saved. /run is a tmpfs and thus always fresh after boot.
* Move CLI from "system ntp" -> "service ntp" * Drop NTP server option preempt as not supported by chrony
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
close PR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
Rewrite strongswan IPsec site-to-site authentication to reflect structure from swanctl.conf
The most important change is that more than one local/remote ID in the same auth entry should be allowed.
One of the use cases is the capability with cisco Flex
Related PR
vyos/vyatta-cfg-system#195
Types of changes
Related Task(s)
Component(s) name
ipsec
Proposed changes
How to test
VyOS configuration:
swanctl.conf
Checklist: