Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6237: IPSec remote access VPN: ability to set EAP ID of clients #3337

Merged
merged 1 commit into from Apr 22, 2024
Merged

T6237: IPSec remote access VPN: ability to set EAP ID of clients #3337

merged 1 commit into from Apr 22, 2024

Conversation

Embezzle
Copy link
Contributor

Change Summary

Add the ability for VyOS IPSec remote-access connections to define acceptable EAP identify of connecting clients.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T6237

Related PR(s)

Component(s) name

VPN -> IPSec -> Remote Access

Proposed changes

How to test

  1. Create a VPN remote-access configuration using the new option:
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
set vpn ipsec remote-access connection rw authentication client-mode 'eap-tls'
set vpn ipsec remote-access connection rw authentication eap-id 'user@vyos.net'
set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
  1. Check the swanctl.conf configuration file is showing the correct options:
vyos@vyos:~$ cat /etc/swanctl/swanctl.conf  | grep "eap_id" -B 2 -A 2
        remote {
            auth = eap-tls
            eap_id = user@vyos.net
            cacerts = ca_root.pem
        }

Smoketest result

vyos@vyos:~$ python3 /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... You should set correct remote-address "peer main-branch remote-address x.x.x.x"

Failed to get address from dhcp-interface on site-to-site peer main-branch -- skipped
ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... PKI: Updating config: vpn ipsec remote_access connection vyos-rw authentication x509 certificate peer1

Missing local-address or dhcp-interface on remote-access connection
vyos-rw

ok
test_remote_access_dhcp_fail_handling (__main__.TestVPNIPsec.test_remote_access_dhcp_fail_handling) ... PKI: Updating config: vpn ipsec remote_access connection vyos-rw authentication x509 certificate peer1
PKI: Updating config: vpn ipsec remote_access connection vyos-rw authentication x509 ca_certificate MyVyOS-CA
Failed to get address from dhcp-interface on remote-access connection vyos-rw -- skipped
ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... PKI: Updating config: vpn ipsec remote_access connection vyos-rw authentication x509 certificate peer1

Missing local-address or dhcp-interface on remote-access connection
vyos-rw

ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... PKI: Updating config: vpn ipsec remote_access connection vyos-rw authentication x509 certificate peer1

Missing local-address or dhcp-interface on remote-access connection
vyos-rw

ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ...
WARNING: It's recommended to use ipsec vti with the next command
[set vpn ipsec option disable-route-autoinstall]

ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... PKI: Updating config: vpn ipsec site_to_site peer office authentication x509 certificate peer1
PKI: Updating config: vpn ipsec site_to_site peer office authentication x509 ca_certificate MyVyOS-CA
PKI: Updating config: vpn ipsec site_to_site peer office authentication x509 ca_certificate MyVyOS-IntCA

WARNING: It's recommended to use ipsec vti with the next command
[set vpn ipsec option disable-route-autoinstall]

ok

----------------------------------------------------------------------
Ran 10 tests in 41.977s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 20, 2024 10:24
@c-po
Copy link
Member

c-po commented Apr 20, 2024
edited

Other then my requested changes on the CLI definition, rest looks fine.

@Embezzle Embezzle requested a review from c-po April 21, 2024 12:09
@c-po
Copy link
Member

c-po commented Apr 22, 2024

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented Apr 22, 2024
edited

backport sagitta

✅ Backports have been created

@c-po c-po merged commit b5d3d36 into vyos:current Apr 22, 2024
7 of 8 checks passed
@mergify mergify bot mentioned this pull request Apr 22, 2024
Merged
12 tasks
@Embezzle Embezzle deleted the T6237 branch April 22, 2024 08:33
dmbaturin added a commit that referenced this pull request Apr 22, 2024
@dmbaturin
Merge pull request #3341 from vyos/mergify/bp/sagitta/pr-3337
428d793 
T6237: IPSec remote access VPN: ability to set EAP ID of clients (backport #3337)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@sever-sever sever-sever sever-sever approved these changes

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

Assignees

@Embezzle Embezzle

Labels
current
Milestone
No milestone
4 participants
@Embezzle @c-po @dmbaturin @sever-sever