T4916: Rewrite IPsec peer authentication and psk migration

data/op-mode-standardized.json

@@ -8,6 +8,7 @@
 "dhcp.py",
 "dns.py",
 "interfaces.py",
+"lldp.py",
 "log.py",
 "memory.py",
 "nat.py",

data/templates/chrony/chrony.conf.j2

@@ -0,0 +1,58 @@
+### Autogenerated by ntp.py ###
+
+# This would step the system clock if the adjustment is larger than 0.1 seconds,
+# but only in the first three clock updates.
+makestep 1.0 3
+
+# The rtcsync directive enables a mode where the system time is periodically
+# copied to the RTC and chronyd does not try to track its drift. This directive
+# cannot be used with the rtcfile directive. On Linux, the RTC copy is performed
+# by the kernel every 11 minutes.
+rtcsync
+
+# This directive specifies the maximum amount of memory that chronyd is allowed
+# to allocate for logging of client accesses and the state that chronyd as an
+# NTP server needs to support the interleaved mode for its clients.
+clientloglimit 1048576
+
+driftfile /run/chrony/drift
+dumpdir /run/chrony
+pidfile {{ config_file | replace('.conf', '.pid') }}
+
+# Determine when will the next leap second occur and what is the current offset
+leapsectz right/UTC
+
+user {{ user }}
+
+# NTP servers to reach out to
+{% if server is vyos_defined %}
+{%     for server, config in server.items() %}
+{%         set association = 'server' %}
+{%         if config.pool is vyos_defined %}
+{%             set association = 'pool' %}
+{%         endif %}
+{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }}
+{%     endfor %}
+{% endif %}
+
+# Allowed clients configuration
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+allow {{ address }}
+{%     endfor %}
+{% endif %}
+deny all
+
+{% if listen_address is vyos_defined or interface is vyos_defined %}
+# NTP should listen on configured addresses only
+{%     if listen_address is vyos_defined %}
+{%         for address in listen_address %}
+bindaddress {{ address }}
+{%         endfor %}
+{%     endif %}
+{%     if interface is vyos_defined %}
+{%         for ifname in interface %}
+binddevice {{ ifname }}
+{%         endfor %}
+{%     endif %}
+{% endif %}

data/templates/ntp/override.conf.j2 → data/templates/chrony/override.conf.j2

@@ -5,10 +5,13 @@ ConditionPathExists={{ config_file }}
 After=vyos-router.service
 
 [Service]
+EnvironmentFile=
 ExecStart=
-ExecStart={{ vrf_command }}/usr/sbin/ntpd -g -p {{ config_file | replace('.conf', '.pid') }} -c {{ config_file }} -u ntp:ntp
+ExecStart={{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }}
 PIDFile=
 PIDFile={{ config_file | replace('.conf', '.pid') }}
 Restart=always
 RestartSec=10
+# Required for VRF support
+ProtectControlGroups=No
 

data/templates/frr/ospfd.frr.j2

@@ -84,11 +84,13 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         endfor %}
 {%         if area_config.range is vyos_defined %}
 {%             for range, range_config in area_config.range.items() %}
-{%                 if range_config.cost is vyos_defined %}
- area {{ area_id }} range {{ range }} cost {{ range_config.cost }}
-{%                 endif %}
 {%                 if range_config.not_advertise is vyos_defined %}
  area {{ area_id }} range {{ range }} not-advertise
+{%                 else %}
+ area {{ area_id }} range {{ range }}
+{%                 endif %}
+{%                 if range_config.cost is vyos_defined %}
+ area {{ area_id }} range {{ range }} cost {{ range_config.cost }}
 {%                 endif %}
 {%                 if range_config.substitute is vyos_defined %}
  area {{ area_id }} range {{ range }} substitute {{ range_config.substitute }}
@@ -170,7 +172,7 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if parameters.router_id is vyos_defined %}
  ospf router-id {{ parameters.router_id }}
 {% endif %}
-{% if passive_interface.default is vyos_defined %}
+{% if passive_interface is vyos_defined('default') %}
  passive-interface default
 {% endif %}
 {% if redistribute is vyos_defined %}

data/templates/https/nginx.default.j2

@@ -34,7 +34,7 @@ server {
         ssl_protocols TLSv1.2 TLSv1.3;
 
         # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ /(retrieve|configure|config-file|image|generate|show|reset|docs|openapi.json|redoc|graphql) {
+        location ~ /(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) {
 {%     if server.api %}
 {%         if server.api.socket %}
                 proxy_pass http://unix:/run/api.sock;

data/templates/ipsec/swanctl.conf.j2

@@ -58,23 +58,7 @@ secrets {
 {% if site_to_site.peer is vyos_defined %}
 {%     for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
 {%         set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
-{%         if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
-    ike_{{ peer_name }} {
-{%             if peer_conf.local_address is vyos_defined %}
-        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{%             endif %}
-{%             for address in peer_conf.remote_address %}
-        id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
-{%             endfor %}
-{%             if peer_conf.authentication.local_id is vyos_defined %}
-        id-localid = {{ peer_conf.authentication.local_id }}
-{%             endif %}
-{%             if peer_conf.authentication.remote_id is vyos_defined %}
-        id-remoteid = {{ peer_conf.authentication.remote_id }}
-{%             endif %}
-        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
-    }
-{%         elif peer_conf.authentication.mode is vyos_defined('x509') %}
+{%         if peer_conf.authentication.mode is vyos_defined('x509') %}
     private_{{ peer_name }} {
         file = {{ peer_conf.authentication.x509.certificate }}.pem
 {%             if peer_conf.authentication.x509.passphrase is vyos_defined %}
@@ -91,6 +75,20 @@ secrets {
 {%         endif %}
 {%     endfor %}
 {% endif %}
+{% if authentication.psk is vyos_defined %}
+{%     for psk, psk_config in authentication.psk.items() %}
+    ike-{{ psk }} {
+{%         if psk_config.id is vyos_defined %}
+        # ID's from auth psk <tag> id xxx
+{%             for id in psk_config.id %}
+        id-{{ id | dot_colon_to_dash }} = {{ id }}
+{%             endfor %}
+{%         endif %}
+        secret = "{{ psk_config.secret }}"
+    }
+{%     endfor %}
+{% endif %}
+
 {% if remote_access.connection is vyos_defined %}
 {%     for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
 {%         if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
@@ -130,4 +128,3 @@ secrets {
 {%     endif %}
 {% endif %}
 }
-

data/templates/ipsec/swanctl/peer.j2

@@ -45,11 +45,7 @@
 {% endif %}
         }
         remote {
-{% if peer_conf.authentication.remote_id is vyos_defined %}
             id = "{{ peer_conf.authentication.remote_id }}"
-{% else %}
-            id = "{{ peer }}"
-{% endif %}
             auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
 {% if peer_conf.authentication.mode == 'rsa' %}
             pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem

data/templates/telegraf/telegraf.j2

@@ -102,7 +102,7 @@
   dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"]
 [[inputs.ethtool]]
   interface_include = {{ interfaces_ethernet }}
-[[inputs.ntpq]]
+[[inputs.chrony]]
   dns_lookup = true
 [[inputs.internal]]
 [[inputs.nstat]]

debian/control

@@ -39,7 +39,6 @@ Depends:
   beep,
   bmon,
   bsdmainutils,
-  charon-systemd,
   conntrack,
   conntrackd,
   conserver-client,
@@ -102,8 +101,7 @@ Depends:
   nfct,
   nftables (>= 0.9.3),
   nginx-light,
-  ntp,
-  ntpdate,
+  chrony,
   nvme-cli,
   ocserv,
   opennhrp,

interface-definitions/include/version/ipsec-version.xml.i

@@ -1,3 +1,3 @@
 <!-- include start from include/version/ipsec-version.xml.i -->
-<syntaxVersion component='ipsec' version='10'></syntaxVersion>
+<syntaxVersion component='ipsec' version='11'></syntaxVersion>
 <!-- include end -->

interface-definitions/include/version/ntp-version.xml.i

@@ -1,3 +1,3 @@
 <!-- include start from include/version/ntp-version.xml.i -->
-<syntaxVersion component='ntp' version='1'></syntaxVersion>
+<syntaxVersion component='ntp' version='2'></syntaxVersion>
 <!-- include end -->

interface-definitions/ntp.xml.in

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!-- NTP configuration -->
 <interfaceDefinition>
-  <node name="system">
+  <node name="service">
     <children>
       <node name="ntp" owner="${vyos_conf_scripts_dir}/ntp.py">
         <properties>
@@ -43,12 +43,6 @@
                   <valueless/>
                 </properties>
               </leafNode>
-              <leafNode name="preempt">
-                <properties>
-                  <help>Specifies the association as preemptable rather than the default persistent</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
               <leafNode name="prefer">
                 <properties>
                   <help>Marks the server as preferred</help>
@@ -57,24 +51,33 @@
               </leafNode>
             </children>
           </tagNode>
-          <node name="allow-clients">
+          <node name="allow-client">
             <properties>
-              <help>Network Time Protocol (NTP) server options</help>
+              <help>Specify NTP clients allowed to access the server</help>
             </properties>
             <children>
               <leafNode name="address">
                 <properties>
                   <help>IP address</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>Allowed IPv4 address</description>
+                  </valueHelp>
                   <valueHelp>
                     <format>ipv4net</format>
-                    <description>IP address and prefix length</description>
+                    <description>Allowed IPv4 prefix</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>Allowed IPv6 address</description>
                   </valueHelp>
                   <valueHelp>
                     <format>ipv6net</format>
-                    <description>IPv6 address and prefix length</description>
+                    <description>Allowed IPv6 prefix</description>
                   </valueHelp>
                   <multi/>
                   <constraint>
+                    <validator name="ip-address"/>
                     <validator name="ip-prefix"/>
                   </constraint>
                 </properties>

interface-definitions/vpn-ipsec.xml.in

@@ -11,6 +11,39 @@
           <priority>901</priority>
         </properties>
         <children>
+          <node name="authentication">
+            <properties>
+              <help>Authentication</help>
+            </properties>
+            <children>
+              <tagNode name="psk">
+                <properties>
+                  <help>Pre-shared key name</help>
+                </properties>
+                <children>
+                  <leafNode name="id">
+                    <properties>
+                      <help>ID for authentication</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>ID used for authentication</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="secret">
+                    <properties>
+                      <help>IKE pre-shared secret key</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>IKE pre-shared secret key</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+            </children>
+          </node>
           <leafNode name="disable-uniqreqids">
             <properties>
               <help>Disable requirement for unique IDs in the Security Database</help>
@@ -948,7 +981,6 @@
                           </constraint>
                         </properties>
                       </leafNode>
-                      #include <include/ipsec/authentication-pre-shared-secret.xml.i>
                       <leafNode name="remote-id">
                         <properties>
                           <help>ID for remote authentication</help>
@@ -957,6 +989,7 @@
                             <description>ID used for peer authentication</description>
                           </valueHelp>
                         </properties>
+                        <defaultValue>%any</defaultValue>
                       </leafNode>
                       <leafNode name="use-x509-id">
                         <properties>