├── AUTHORS ├── COPYING ├── ChangeLog ├── Makefile.am ├── NEWS ├── README ├── README.md ├── configure.ac ├── debian ├── README ├── autogen.sh ├── changelog ├── compat ├── control ├── copyright ├── docs ├── lintian ├── rules └── vyatta-ravpn.postinst.in ├── lib └── Vyatta │ └── AgileConfig.pm ├── scripts └── vyos-update-agile.pl └── templates-cfg └── vpn └── ipsec └── remote-access ├── authentication ├── local-users │ ├── node.def │ └── username │ │ ├── node.def │ │ └── node.tag │ │ ├── disable │ │ └── node.def │ │ └── password │ │ └── node.def ├── mode │ └── node.def ├── node.def └── radius-server │ ├── node.def │ └── node.tag │ └── key │ └── node.def ├── client-ip-pool ├── node.def ├── subnet │ └── node.def └── subnet6 │ └── node.def ├── compatibility-mode └── node.def ├── description └── node.def ├── dhcp-interface └── node.def ├── dns-servers ├── node.def ├── server-1 │ └── node.def └── server-2 │ └── node.def ├── esp-settings ├── node.def └── proposal │ ├── node.def │ └── node.tag │ ├── dh-group │ └── node.def │ ├── encryption │ └── node.def │ └── hash │ └── node.def ├── ike-settings ├── authentication │ ├── mode │ │ └── node.def │ ├── node.def │ ├── pre-shared-secret │ │ └── node.def │ └── x509 │ │ ├── ca-cert-file │ │ └── node.def │ │ ├── crl-file │ │ └── node.def │ │ ├── local-id │ │ └── node.def │ │ ├── node.def │ │ ├── remote-ca-cert-file │ │ └── node.def │ │ ├── remote-id │ │ └── node.def │ │ ├── server-cert-file │ │ └── node.def │ │ ├── server-key-file │ │ └── node.def │ │ ├── server-key-password │ │ └── node.def │ │ └── server-key-type │ │ └── node.def ├── esp-group │ └── node.def ├── fragmentation │ └── node.def ├── ike-lifetime │ └── node.def ├── node.def ├── operating-mode │ └── node.def └── proposal │ ├── node.def │ └── node.tag │ ├── dh-group │ └── node.def │ ├── encryption │ └── node.def │ └── hash │ └── node.def ├── inactivity └── node.def ├── local-ip └── node.def ├── node.def ├── outside-address └── node.def ├── updown-script └── node.def └── wins-servers ├── node.def ├── server-1 └── node.def └── server-2 └── node.def /AUTHORS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TriJetScud/vyos-agile-vpn/5093c74d0c8bae21ab2526db2d6ec8052fdc516d/AUTHORS -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | debian/changelog -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | cfgdir = $(datadir)/vyatta-cfg/templates 2 | opdir = $(datadir)/vyatta-op/templates 3 | share_perl5dir = $(datarootdir)/perl5/Vyatta 4 | ravpnconfdir = $(sysconfdir)/ravpn 5 | bin_sudo_usersdir = $(bindir)/sudo-users 6 | 7 | sbin_SCRIPTS = scripts/vyos-update-agile.pl 8 | 9 | share_perl5_DATA = lib/Vyatta/AgileConfig.pm 10 | 11 | cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ 12 | cpio -0pd 13 | 14 | install-exec-hook: 15 | mkdir -p $(DESTDIR)$(cfgdir) 16 | cd templates-cfg; $(cpiop) $(DESTDIR)$(cfgdir) 17 | # mkdir -p $(DESTDIR)$(opdir) 18 | # cd templates-op; $(cpiop) $(DESTDIR)$(opdir) 19 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TriJetScud/vyos-agile-vpn/5093c74d0c8bae21ab2526db2d6ec8052fdc516d/NEWS -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TriJetScud/vyos-agile-vpn/5093c74d0c8bae21ab2526db2d6ec8052fdc516d/README -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IKEv2 Remote Access VPN for EdgeOS/VyOS 2 | 3 | This is the source package for enabling an EdgeOS/VyOS router to host IKEv2 (Agile) Remote Access VPNs. 4 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # Process this file with autoconf to produce a configure script. 2 | AC_PREREQ(2.59) 3 | 4 | m4_define([VERSION_ID], [m4_esyscmd([ 5 | if test -f .version ; then 6 | head -n 1 .version | tr -d \\n 7 | else 8 | echo -n 2.4 9 | fi])]) 10 | AC_INIT([vyos-vpn-agile], VERSION_ID, [jleung@v10networks.ca]) 11 | 12 | test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION 13 | 14 | AC_CONFIG_AUX_DIR([config]) 15 | AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) 16 | AC_PREFIX_DEFAULT([/opt/vyatta]) 17 | 18 | AC_ARG_ENABLE([nostrip], 19 | AC_HELP_STRING([--enable-nostrip], 20 | [include -nostrip option during packaging]), 21 | [NOSTRIP=-nostrip], [NOSTRIP=]) 22 | 23 | AC_CONFIG_FILES( 24 | [Makefile] 25 | [debian/vyatta-ravpn.postinst]) 26 | 27 | AC_SUBST(NOSTRIP) 28 | 29 | AC_OUTPUT 30 | 31 | 32 | -------------------------------------------------------------------------------- /debian/README: -------------------------------------------------------------------------------- 1 | The Debian Package vyatta-ravpn 2 | --------------------------------- 3 | 4 | This package has the Vyatta configuration/operational templates and scripts for remote access VPN. 5 | 6 | -- An-Cheng Huang Fri, 28 Dec 2007 7 | 8 | -------------------------------------------------------------------------------- /debian/autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | rm -rf config 5 | rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL 6 | 7 | autoreconf --force --install 8 | 9 | rm -f config.sub config.guess 10 | ln -s /usr/share/misc/config.sub . 11 | ln -s /usr/share/misc/config.guess . 12 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | vyos-vpn-agile (0.2.7) unstable; urgency=low 2 | 3 | * Fix the bug where IPv6 subnets generate the wrong leftsubnet= output 4 | 5 | -- Jeff Leung Thu, 14 Jul 2016 00:45:02 -0700 6 | 7 | vyos-vpn-agile (0.2.6) unstable; urgency=low 8 | 9 | * Only send out IPv6 default route when subnet6 is configured 10 | * Fix AES GCM Cipher names 11 | 12 | -- Jeff Leung Tue, 12 Jul 2016 14:35:38 -0700 13 | 14 | vyos-vpn-agile (0.2.5) unstable; urgency=low 15 | 16 | * Stage the configuration commands for IKEv1 XAUTH VPN's 17 | * Handle the new 'operating-mode' option. 18 | * Properly clean up RADIUS and Attribute related generated 19 | configuration files 20 | * Implement IKEv1 XAUTH RSA and PSK and IKEv1 XAUTH Hybrid Operating 21 | Mode 22 | 23 | -- Jeff Leung Mon, 18 Apr 2016 00:15:49 -0700 24 | 25 | vyos-vpn-agile (0.2.1) unstable; urgency=low 26 | 27 | * Update isDifferent from function for Client IP pools 28 | 29 | -- Jeff Leung Sat, 16 Apr 2016 13:28:39 -0700 30 | 31 | vyos-vpn-agile (0.2.0) unstable; urgency=low 32 | 33 | * 0.2.0 Release 34 | 35 | [ Jeff Leung ] 36 | * Allow the user to specify the server-id for certain problematic 37 | IKEv2 RA clients 38 | * Add "inactivity" option for IKEv2 Remote Access VPNs 39 | 40 | [ Florent Daigniere ] 41 | * Smarter/secure defaults 42 | * Ensure we always send the ipv6 default route 43 | * MacOS compatibility: derive the leftid from rightid, always send our 44 | cert 45 | * Let the user configure leftid/rightid 46 | * update changelog 47 | * fix indent 48 | * Apparently we need leftfirewall=yes too 49 | * Ensure that the daemon is restarted if we change the local/remote id 50 | * Bump version 51 | * Add lefthostaccess=yes 52 | * bump version to 0.1.4 53 | * With ikev2 we should give rekey is chance 54 | * If we can do aes256gcm128 in IKE that's good too 55 | * Add a compatiblity mode (permissive proposals) 56 | * bump version 57 | * Disable rekeying again, it's broken 58 | * Bump version to 0.1.7 ; try suiteB first (requires 1.8.5+) 59 | * Add modp4096 to the proposal too 60 | * add a remote-ca-cert-file option as well as support for EAP-TLS 61 | * release 0.1.8 62 | 63 | [ Jeff Leung ] 64 | * Allow the user to define seperate IKE and ESP proposals for IKEv2 65 | Remote Access Connections 66 | * Restore the dhcp-interfaces option and resolve a regression that the 67 | new code introduced 68 | * Block dhcp-interface and outside-address being defined together 69 | 70 | -- Jeff Leung Sat, 16 Apr 2016 00:24:37 -0700 71 | 72 | vyos-vpn-agile (0.1.8) UNRELEASED; urgency=low 73 | 74 | * Add support for EAP-TLS 75 | * Add an option to pin a specific remote-ca 76 | * Add modp4096 to the default proposal 77 | 78 | -- Florent Daigniere Mon, 15 April 2016 12:00:00 +0000 79 | vyos-vpn-agile (0.1.7) UNRELEASED; urgency=low 80 | 81 | * Try suite-B as the first proposal; requires 1.8.5+ 82 | 83 | -- Florent Daigniere Mon, 13 April 2016 12:00:00 +0000 84 | vyos-vpn-agile (0.1.6) UNRELEASED; urgency=low 85 | 86 | * disable rekeying; it just doesn't work. 87 | 88 | -- Florent Daigniere Mon, 18 Feb 2016 21:00:00 +0000 89 | 90 | vyos-vpn-agile (0.1.5) UNRELEASED; urgency=low 91 | 92 | * Re-enable rekeying; The new default is a IKE lifetime of 1d and an 93 | IPSEC lifetime of 1h 94 | * Create a new option called compatibility-mode, allowing "permissive" 95 | proposals 96 | * Include AES-GCM in the default proposal 97 | 98 | -- Florent Daigniere Mon, 18 Feb 2016 20:00:00 +0000 99 | 100 | vyos-vpn-agile (0.1.4) UNRELEASED; urgency=low 101 | 102 | * Set lefthostaccess=yes 103 | 104 | -- Florent Daigniere Mon, 17 Feb 2016 20:00:00 +0000 105 | 106 | vyos-vpn-agile (0.1.3) UNRELEASED; urgency=low 107 | 108 | * Set leftfirewall=yes to ensure it 'just works' 109 | * Fix a minor bug where the daemon might not 110 | be restarted if the local/remote IDs change 111 | 112 | -- Florent Daigniere Mon, 16 Feb 2016 20:00:00 +0000 113 | 114 | vyos-vpn-agile (0.1.2) UNRELEASED; urgency=low 115 | 116 | * Add smarter defaults for proposals 117 | * Ensure that a default route is sent for ipv6 too 118 | * Allow the user to configure leftid/rightid 119 | * Always send the x509 certificate (IOS compatibility) 120 | 121 | -- Florent Daigniere Mon, 15 Feb 2016 20:00:00 +0000 122 | 123 | vyos-vpn-agile (0.1.1) UNRELEASED; urgency=low 124 | 125 | * Add an aes256-sha1 without a PFS group [b8a775] 126 | * Use swanctl to reload if it exists on the system [c6179e] 127 | 128 | -- Jeff Leung Mon, 05 Oct 2015 20:00:00 +0000 129 | 130 | vyos-vpn-agile (0.1) UNRELEASED; urgency=low 131 | 132 | * Initial Packaging 133 | 134 | -- Jeff Leung Tue, 01 Sep 2015 06:15:47 +0000 135 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 5 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: vyos-vpn-agile 2 | Section: contrib/net 3 | Priority: extra 4 | Maintainer: VyOS Package Maintainers 5 | Build-Depends: debhelper (>= 5), autotools-dev 6 | Standards-Version: 3.7.2 7 | 8 | Package: vyos-vpn-agile 9 | Architecture: all 10 | Depends: perl, 11 | vyatta-cfg, 12 | vyatta-op, 13 | vyatta-cfg-vpn, 14 | vyatta-op-vpn, 15 | Description: VyOS Agile VPN configuration scripts 16 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | This package was debianized by An-Cheng Huang on 2 | Fri, 28 Dec 2007 13:49:53 -0700. 3 | 4 | It's original content from the GIT repository 5 | 6 | Upstream Author: 7 | 8 | 9 | 10 | Copyright: 11 | 12 | Copyright (C) 2007 Vyatta, Inc. 13 | All Rights Reserved. 14 | 15 | License: 16 | 17 | 18 | This program is free software; you can redistribute it and/or modify 19 | it under the terms of the GNU General Public License as published by 20 | the Free Software Foundation; either version 2, or (at your option) 21 | any later version. 22 | 23 | This program is distributed in the hope that it will be useful, but 24 | WITHOUT ANY WARRANTY; without even the implied warranty of 25 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 26 | General Public License for more details. 27 | 28 | A copy of the GNU General Public License is available as 29 | `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution 30 | or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. 31 | You can also obtain it by writing to the Free Software Foundation, 32 | Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, 33 | MA 02110-1301, USA. 34 | 35 | The Debian packaging is (C) 2007, An-Cheng Huang and 36 | is licensed under the GPL, see above. 37 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | NEWS 2 | README 3 | -------------------------------------------------------------------------------- /debian/lintian: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TriJetScud/vyos-agile-vpn/5093c74d0c8bae21ab2526db2d6ec8052fdc516d/debian/lintian -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | #export DH_VERBOSE=1 11 | 12 | 13 | # These are used for cross-compiling and for saving the configure script 14 | # from having to guess our platform (since we know it already) 15 | DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) 16 | DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) 17 | PACKAGE=vyos-vpn-agile 18 | PKGDIR=$(CURDIR)/debian/$(PACKAGE) 19 | 20 | CFLAGS = -Wall -g 21 | 22 | configure = ./configure 23 | configure += --host=$(DEB_HOST_GNU_TYPE) 24 | configure += --build=$(DEB_BUILD_GNU_TYPE) 25 | configure += --prefix=/opt/vyatta 26 | configure += --mandir=\$${prefix}/share/man 27 | configure += --infodir=\$${prefix}/share/info 28 | configure += CFLAGS="$(CFLAGS)" 29 | configure += LDFLAGS="-Wl,-z,defs" 30 | 31 | ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) 32 | CFLAGS += -O0 33 | else 34 | CFLAGS += -O2 35 | endif 36 | 37 | configure: configure.ac Makefile.am 38 | chmod +x debian/autogen.sh 39 | debian/autogen.sh 40 | 41 | config.status: configure 42 | dh_testdir 43 | rm -f config.cache 44 | $(configure) 45 | 46 | build: build-stamp 47 | 48 | build-stamp: config.status 49 | dh_testdir 50 | $(MAKE) 51 | touch $@ 52 | 53 | clean: clean-patched 54 | 55 | # Clean everything up, including everything auto-generated 56 | # at build time that needs not to be kept around in the Debian diff 57 | clean-patched: 58 | dh_testdir 59 | dh_testroot 60 | if test -f Makefile ; then $(MAKE) clean distclean ; fi 61 | rm -f build-stamp 62 | rm -f config.status config.sub config.guess config.log 63 | rm -f aclocal.m4 configure Makefile.in Makefile INSTALL 64 | rm -rf config 65 | dh_clean 66 | 67 | install: build 68 | dh_testdir 69 | dh_testroot 70 | dh_clean -k 71 | dh_installdirs 72 | 73 | $(MAKE) DESTDIR=$(PKGDIR) install 74 | 75 | install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE) 76 | 77 | # Build architecture-independent files here. 78 | binary-indep: build install 79 | rm -f debian/files 80 | dh_testdir 81 | dh_testroot 82 | dh_installchangelogs ChangeLog 83 | dh_installdocs 84 | dh_install 85 | dh_installdebconf 86 | dh_link 87 | dh_strip 88 | dh_compress 89 | dh_fixperms 90 | dh_installdeb 91 | if [ -f "../.VYATTA_DEV_BUILD" ]; then \ 92 | dh_gencontrol -- -v999.dev; \ 93 | else \ 94 | dh_gencontrol; \ 95 | fi 96 | dh_md5sums 97 | dh_builddeb 98 | 99 | # Build architecture-dependent files here. 100 | binary-arch: build install 101 | # This is an architecture independent package 102 | # so; we have nothing to do by default. 103 | 104 | binary: binary-indep binary-arch 105 | .PHONY: build clean binary-indep binary-arch binary install 106 | -------------------------------------------------------------------------------- /debian/vyatta-ravpn.postinst.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | prefix=@prefix@ 4 | exec_prefix=@exec_prefix@ 5 | sysconfdir=@sysconfdir@ 6 | bindir=@bindir@ 7 | sbindir=@sbindir@ 8 | -------------------------------------------------------------------------------- /lib/Vyatta/AgileConfig.pm: -------------------------------------------------------------------------------- 1 | package Vyatta::AgileConfig; 2 | 3 | use strict; 4 | use lib "/opt/vyatta/share/perl5"; 5 | use Vyatta::Config; 6 | use Vyatta::Misc; 7 | use NetAddr::IP; 8 | 9 | my $cfg_delim_begin = '### VyOS Agile VPN Begin ###'; 10 | my $cfg_delim_end = '### VyOS Agile VPN End ###'; 11 | 12 | my $CA_CERT_PATH = '/etc/ipsec.d/cacerts'; 13 | my $CRL_PATH = '/etc/ipsec.d/crls'; 14 | my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; 15 | my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; 16 | 17 | my %fields = ( 18 | _mode => undef, 19 | _psk => undef, 20 | _x509_cacert => undef, 21 | _x509_rcacert => undef, 22 | _x509_crl => undef, 23 | _x509_s_cert => undef, 24 | _x509_s_key => undef, 25 | _x509_s_pass => undef, 26 | _x509_t_key => undef, 27 | _x509_r_id => undef, 28 | _x509_l_id => undef, 29 | _out_addr => undef, 30 | _dhcp_if => undef, 31 | _client_ip_pool => undef, 32 | _client_ip6_pool => undef, 33 | _auth_mode => undef, 34 | _oper_mode => undef, 35 | _mtu => undef, 36 | _ike_lifetime => undef, 37 | _inactivity => undef, 38 | _ike_group => undef, 39 | _esp_group => undef, 40 | _auth_require => undef, 41 | _fragmentation => undef, 42 | _compat => undef, 43 | _auth_local => [], 44 | _auth_radius => [], 45 | _auth_radius_keys => [], 46 | _dns => [], 47 | _wins => [], 48 | _is_empty => 1, 49 | ); 50 | 51 | sub new { 52 | my $that = shift; 53 | my $class = ref ($that) || $that; 54 | my $self = { 55 | %fields, 56 | }; 57 | 58 | bless $self, $class; 59 | return $self; 60 | } 61 | 62 | sub setup { 63 | my ( $self ) = @_; 64 | my $config = new Vyatta::Config; 65 | 66 | $config->setLevel('vpn ipsec remote-access'); 67 | my @nodes = $config->listNodes(); 68 | if (scalar(@nodes) <= 0) { 69 | $self->{_is_empty} = 1; 70 | return 0; 71 | } else { 72 | $self->{_is_empty} = 0; 73 | } 74 | $self->{_dhcp_if} = $config->returnValue('dhcp-interface'); 75 | $self->{_compat} = $config->returnValue('compatibility-mode'); 76 | $self->{_mode} = $config->returnValue('ike-settings authentication mode'); 77 | $self->{_psk} = $config->returnValue('ike-settings authentication pre-shared-secret'); 78 | $self->{_fragmentation} = $config->returnValue('ike-settings fragmentation'); 79 | $self->{_inactivity} = $config->returnValue('inactivity'); 80 | $self->{_ike_lifetime} = $config->returnValue('ike-settings ike-lifetime'); 81 | $self->{_oper_mode} = $config->returnValue('ike-settings operating-mode'); 82 | $self->{_ike_group} = $config->returnValue('ike-settings proposal 1 encryption'); 83 | $self->{_esp_group} = $config->returnValue('esp-settings proposal 1 encryption'); 84 | my $pfx = 'ike-settings authentication x509'; 85 | $self->{_x509_cacert} = $config->returnValue("$pfx ca-cert-file"); 86 | $self->{_x509_rcacert} = $config->returnValue("$pfx remote-ca-cert-file"); 87 | $self->{_x509_crl} = $config->returnValue("$pfx crl-file"); 88 | $self->{_x509_s_cert} = $config->returnValue("$pfx server-cert-file"); 89 | $self->{_x509_s_key} = $config->returnValue("$pfx server-key-file"); 90 | $self->{_x509_s_pass} = $config->returnValue("$pfx server-key-password"); 91 | $self->{_x509_t_key} = $config->returnValue("$pfx server-key-type"); 92 | $self->{_x509_l_id} = $config->returnValue("$pfx local-id"); 93 | $self->{_x509_r_id} = $config->returnValue("$pfx remote-id"); 94 | 95 | $self->{_out_addr} = $config->returnValue('outside-address'); 96 | $self->{_client_ip_pool} = $config->returnValue('client-ip-pool subnet'); 97 | $self->{_client_ip6_pool} = $config->returnValue('client-ip-pool subnet6'); 98 | $self->{_auth_mode} = $config->returnValue('authentication mode'); 99 | $self->{_auth_require} = $config->returnValue('authentication require'); 100 | $self->{_mtu} = $config->returnValue('mtu'); 101 | $self->{_left_updown} = $config->returnValue('updown-script'); 102 | 103 | my @users = $config->listNodes('authentication local-users username'); 104 | foreach my $user (@users) { 105 | my $plvl = "authentication local-users username $user password"; 106 | my $pass = $config->returnValue("$plvl"); 107 | my $dlvl = "authentication local-users username $user disable"; 108 | my $disable = 'enable'; 109 | $disable = 'disable' if $config->exists("$dlvl"); 110 | $self->{_auth_local} = [ @{$self->{_auth_local}}, $user, $pass, $disable]; 111 | } 112 | 113 | my @rservers = $config->listNodes('authentication radius-server'); 114 | foreach my $rserver (@rservers) { 115 | my $key = $config->returnValue( 116 | "authentication radius-server $rserver key"); 117 | $self->{_auth_radius} = [ @{$self->{_auth_radius}}, $rserver ]; 118 | if (defined($key)) { 119 | $self->{_auth_radius_keys} = [ @{$self->{_auth_radius_keys}}, $key ]; 120 | } 121 | # later we will check if the two lists have the same length 122 | } 123 | 124 | my $tmp = $config->returnValue('dns-servers server-1'); 125 | if (defined($tmp)) { 126 | $self->{_dns} = [ @{$self->{_dns}}, $tmp ]; 127 | } 128 | $tmp = $config->returnValue('dns-servers server-2'); 129 | if (defined($tmp)) { 130 | $self->{_dns} = [ @{$self->{_dns}}, $tmp ]; 131 | } 132 | 133 | $tmp = $config->returnValue('wins-servers server-1'); 134 | if (defined($tmp)) { 135 | $self->{_wins} = [ @{$self->{_wins}}, $tmp ]; 136 | } 137 | $tmp = $config->returnValue('wins-servers server-2'); 138 | if (defined($tmp)) { 139 | $self->{_wins} = [ @{$self->{_wins}}, $tmp ]; 140 | } 141 | 142 | return 0; 143 | } 144 | 145 | sub setupOrig { 146 | my ( $self ) = @_; 147 | my $config = new Vyatta::Config; 148 | 149 | $config->setLevel('vpn ipsec remote-access'); 150 | my @nodes = $config->listOrigNodes(); 151 | if (scalar(@nodes) <= 0) { 152 | $self->{_is_empty} = 1; 153 | return 0; 154 | } else { 155 | $self->{_is_empty} = 0; 156 | } 157 | $self->{_dhcp_if} = $config->returnOrigValue('dhcp-interface'); 158 | $self->{_compat} = $config->returnOrigValue('compatibility-mode'); 159 | $self->{_mode} = 'x509'; 160 | $self->{_inactivity} = $config->returnOrigValue('inactivity'); 161 | $self->{_fragmentation} = $config->returnOrigValue('ike-settings fragmentation'); 162 | $self->{_ike_lifetime} = $config->returnOrigValue('ike-settings ike-lifetime'); 163 | $self->{_oper_mode} = $config->returnOrigValue('ike-settings operating-mode'); 164 | $self->{_ike_group} = $config->returnOrigValue('ike-settings proposal 1 encryption'); 165 | $self->{_esp_group} = $config->returnOrigValue('esp-settings proposal 1 encryption'); 166 | my $pfx = 'ike-settings authentication x509'; 167 | $self->{_x509_cacert} = $config->returnOrigValue("$pfx ca-cert-file"); 168 | $self->{_x509_rcacert} = $config->returnOrigValue("$pfx remote-ca-cert-file"); 169 | $self->{_x509_crl} = $config->returnOrigValue("$pfx crl-file"); 170 | $self->{_x509_s_cert} = $config->returnOrigValue("$pfx server-cert-file"); 171 | $self->{_x509_s_key} = $config->returnOrigValue("$pfx server-key-file"); 172 | $self->{_x509_s_pass} = $config->returnOrigValue("$pfx server-key-password"); 173 | $self->{_x509_t_key} = $config->returnOrigValue("$pfx server-key-type"); 174 | $self->{_x509_l_id} = $config->returnOrigValue("$pfx local-id"); 175 | $self->{_x509_r_id} = $config->returnOrigValue("$pfx remote-id"); 176 | 177 | $self->{_out_addr} = $config->returnOrigValue('outside-address'); 178 | $self->{_client_ip_pool} = $config->returnOrigValue('client-ip-pool subnet'); 179 | $self->{_client_ip6_pool} = $config->returnOrigValue('client-ip-pool subnet6'); 180 | $self->{_auth_mode} = $config->returnOrigValue('authentication mode'); 181 | $self->{_auth_require} = $config->returnValue('authentication require'); 182 | $self->{_mtu} = $config->returnOrigValue('mtu'); 183 | $self->{_left_updown} = $config->returnValue('updown-script'); 184 | 185 | my @users = $config->listOrigNodes('authentication local-users username'); 186 | foreach my $user (@users) { 187 | my $plvl = "authentication local-users username $user password"; 188 | my $pass = $config->returnOrigValue("$plvl"); 189 | my $dlvl = "authentication local-users username $user disable"; 190 | my $disable = 'enable'; 191 | $disable = 'disable' if $config->existsOrig("$dlvl"); 192 | $self->{_auth_local} = [ @{$self->{_auth_local}}, $user, $pass, $disable]; 193 | } 194 | 195 | my @rservers = $config->listOrigNodes('authentication radius-server'); 196 | foreach my $rserver (@rservers) { 197 | my $key = $config->returnOrigValue( 198 | "authentication radius-server $rserver key"); 199 | $self->{_auth_radius} = [ @{$self->{_auth_radius}}, $rserver ]; 200 | if (defined($key)) { 201 | $self->{_auth_radius_keys} = [ @{$self->{_auth_radius_keys}}, $key ]; 202 | } 203 | # later we will check if the two lists have the same length 204 | } 205 | 206 | my $tmp = $config->returnOrigValue('dns-servers server-1'); 207 | if (defined($tmp)) { 208 | $self->{_dns} = [ @{$self->{_dns}}, $tmp ]; 209 | } 210 | $tmp = $config->returnOrigValue('dns-servers server-2'); 211 | if (defined($tmp)) { 212 | $self->{_dns} = [ @{$self->{_dns}}, $tmp ]; 213 | } 214 | 215 | $tmp = $config->returnOrigValue('wins-servers server-1'); 216 | if (defined($tmp)) { 217 | $self->{_wins} = [ @{$self->{_wins}}, $tmp ]; 218 | } 219 | $tmp = $config->returnOrigValue('wins-servers server-2'); 220 | if (defined($tmp)) { 221 | $self->{_wins} = [ @{$self->{_wins}}, $tmp ]; 222 | } 223 | 224 | return 0; 225 | } 226 | 227 | sub listsDiff { 228 | my @a = @{$_[0]}; 229 | my @b = @{$_[1]}; 230 | return 1 if ((scalar @a) != (scalar @b)); 231 | while (my $a = shift @a) { 232 | my $b = shift @b; 233 | return 1 if ($a ne $b); 234 | } 235 | return 0; 236 | } 237 | 238 | sub globalIPsecChanged { 239 | my $config = new Vyatta::Config(); 240 | $config->setLevel('vpn'); 241 | # for now, treat it as changed if anything under ipsec changed 242 | return 1 if ($config->isChanged('ipsec')); 243 | return 0; 244 | } 245 | 246 | sub isDifferentFrom { 247 | my ($this, $that) = @_; 248 | 249 | return 1 if ($this->{_is_empty} ne $that->{_is_empty}); 250 | return 1 if ($this->{_mode} ne $that->{_mode}); 251 | return 1 if ($this->{_compat} ne $that->{_compat}); 252 | return 1 if ($this->{_ike_lifetime} ne $that->{_ike_lifetime}); 253 | return 1 if ($this->{_x509_cacert} ne $that->{_x509_cacert}); 254 | return 1 if ($this->{_x509_rcacert} ne $that->{_x509_rcacert}); 255 | return 1 if ($this->{_x509_crl} ne $that->{_x509_crl}); 256 | return 1 if ($this->{_x509_s_cert} ne $that->{_x509_s_cert}); 257 | return 1 if ($this->{_x509_s_key} ne $that->{_x509_s_key}); 258 | return 1 if ($this->{_x509_s_pass} ne $that->{_x509_s_pass}); 259 | return 1 if ($this->{_x509_t_key} ne $that->{_x509_t_key}); 260 | return 1 if ($this->{_x509_l_id} ne $that->{_x509_l_id}); 261 | return 1 if ($this->{_x509_r_id} ne $that->{_x509_r_id}); 262 | return 1 if ($this->{_out_addr} ne $that->{_out_addr}); 263 | return 1 if ($this->{_dhcp_if} ne $that->{_dhcp_if}); 264 | return 1 if ($this->{_client_ip_pool} ne $that->{_client_ip_pool}); 265 | return 1 if ($this->{_client_ip6_pool} ne $that->{_client_ip6_pool}); 266 | return 1 if ($this->{_auth_mode} ne $that->{_auth_mode}); 267 | return 1 if ($this->{_auth_require} ne $that->{_auth_require}); 268 | return 1 if ($this->{_mtu} ne $that->{_mtu}); 269 | return 1 if ($this->{_left_updown} ne $that->{_left_updown}); 270 | return 1 if (listsDiff($this->{_auth_local}, $that->{_auth_local})); 271 | return 1 if (listsDiff($this->{_auth_radius}, $that->{_auth_radius})); 272 | return 1 if (listsDiff($this->{_auth_radius_keys}, 273 | $that->{_auth_radius_keys})); 274 | return 1 if (listsDiff($this->{_dns}, $that->{_dns})); 275 | return 1 if (listsDiff($this->{_wins}, $that->{_wins})); 276 | return 1 if (globalIPsecChanged()); 277 | 278 | return 0; 279 | } 280 | 281 | sub needsRestart { 282 | my ($this, $that) = @_; 283 | 284 | return 1 if ($this->{_is_empty} ne $that->{_is_empty}); 285 | return 1 if ($this->{_compat} ne $that->{_compat}); 286 | return 1 if ($this->{_mode} ne $that->{_mode}); 287 | return 1 if ($this->{_ike_lifetime} ne $that->{_ike_lifetime}); 288 | return 1 if ($this->{_x509_cacert} ne $that->{_x509_cacert}); 289 | return 1 if ($this->{_x509_rcacert} ne $that->{_x509_rcacert}); 290 | return 1 if ($this->{_x509_crl} ne $that->{_x509_crl}); 291 | return 1 if ($this->{_x509_s_cert} ne $that->{_x509_s_cert}); 292 | return 1 if ($this->{_x509_s_key} ne $that->{_x509_s_key}); 293 | return 1 if ($this->{_x509_s_pass} ne $that->{_x509_s_pass}); 294 | return 1 if ($this->{_x509_t_key} ne $that->{_x509_t_key}); 295 | return 1 if ($this->{_x509_l_id} ne $that->{_x509_l_id}); 296 | return 1 if ($this->{_x509_r_id} ne $that->{_x509_r_id}); 297 | return 1 if ($this->{_out_addr} ne $that->{_out_addr}); 298 | return 1 if ($this->{_dhcp_if} ne $that->{_dhcp_if}); 299 | return 1 if ($this->{_out_nexthop} ne $that->{_out_nexthop}); 300 | return 1 if ($this->{_client_ip_start} ne $that->{_client_ip_start}); 301 | return 1 if ($this->{_client_ip_stop} ne $that->{_client_ip_stop}); 302 | return 1 if ($this->{_mtu} ne $that->{_mtu}); 303 | return 1 if ($this->{_left_updown} ne $that->{_left_updown}); 304 | return 1 if ($this->{_auth_mode} ne $that->{_auth_mode}); 305 | return 1 if (globalIPsecChanged()); 306 | 307 | return 0; 308 | } 309 | 310 | sub isEmpty { 311 | my ($self) = @_; 312 | return $self->{_is_empty}; 313 | } 314 | 315 | sub setupX509IfNecessary { 316 | my ($self) = @_; 317 | return (undef, "IPsec authentication mode not defined") 318 | if (!defined($self->{_mode})); 319 | my $mode = $self->{_mode}; 320 | if ($mode eq 'pre-shared-secret') { 321 | return; 322 | } 323 | 324 | return "\"ca-cert-file\" must be defined for X.509\n" 325 | if (!defined($self->{_x509_cacert})); 326 | return "\"server-cert-file\" must be defined for X.509\n" 327 | if (!defined($self->{_x509_s_cert})); 328 | return "\"server-key-file\" must be defined for X.509\n" 329 | if (!defined($self->{_x509_s_key})); 330 | 331 | return "Invalid ca-cert-file \"$self->{_x509_cacert}\"" 332 | if (! -f $self->{_x509_cacert}); 333 | return "Invalid remote-ca-cert-file \"$self->{_x509_rcacert}\"" 334 | if (! -f $self->{_x509_rcacert}); 335 | return "Invalid server-cert-file \"$self->{_x509_s_cert}\"" 336 | if (! -f $self->{_x509_s_cert}); 337 | return "Invalid server-key-file \"$self->{_x509_s_key}\"" 338 | if (! -f $self->{_x509_s_key}); 339 | 340 | if (defined($self->{_x509_crl})) { 341 | return "Invalid crl-file \"$self->{_x509_crl}\"" 342 | if (! -f $self->{_x509_crl}); 343 | system("cp -f $self->{_x509_crl} $CRL_PATH/"); 344 | return "Cannot copy $self->{_x509_crl}" if ($? >> 8); 345 | } 346 | 347 | # perform more validation of the files 348 | 349 | system("cp -f $self->{_x509_cacert} $CA_CERT_PATH/"); 350 | return "Cannot copy $self->{_x509_cacert}" if ($? >> 8); 351 | system("cp -f $self->{_x509_rcacert} $CA_CERT_PATH/"); 352 | return "Cannot copy $self->{_x509_rcacert}" if ($? >> 8); 353 | system("cp -f $self->{_x509_s_cert} $SERVER_CERT_PATH/"); 354 | return "Cannot copy $self->{_x509_s_cert}" if ($? >> 8); 355 | system("cp -f $self->{_x509_s_key} $SERVER_KEY_PATH/"); 356 | return "Cannot copy $self->{_x509_s_key}" if ($? >> 8); 357 | 358 | return; 359 | } 360 | 361 | sub get_ipsec_secrets { 362 | my ($self) = @_; 363 | my $str; 364 | if ($self->{_mode} eq 'x509') { 365 | # X509 366 | my $key_file = $self->{_x509_s_key}; 367 | my $key_pass = $self->{_x509_s_pass}; 368 | my $key_type = $self->{_x509_t_key}; 369 | my $key_str; 370 | return (undef, "\"server-key-file\" not defined") 371 | if (!defined($key_file)); 372 | if ($key_type eq 'ecdsa') { 373 | $key_str = 'ECDSA'; 374 | } else { 375 | $key_str = 'RSA'; 376 | } 377 | my $pstr = (defined($key_pass) ? " \"$key_pass\"" : ''); 378 | $key_file =~ s/^.*(\/[^\/]+)$/${SERVER_KEY_PATH}$1/; 379 | $str =<{_mode} eq 'pre-shared-secret') { 386 | # PSK 387 | my $key = $self->{_psk}; 388 | my $oaddr = $self->{_out_addr}; 389 | if (defined($self->{_dhcp_if})){ 390 | return (undef, "The specified interface is not configured for DHCP") 391 | if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0)); 392 | my $dhcpif = $self->{_dhcp_if}; 393 | $oaddr = get_dhcp_addr($dhcpif); 394 | } 395 | return (undef, "IPsec pre-shared secret not defined") if (!defined($key)); 396 | return (undef, "Outside address not defined") if (!defined($oaddr)); 397 | $str = "$cfg_delim_begin\n"; 398 | $oaddr = "#" if ($oaddr eq ''); 399 | $str .= "$oaddr %any : PSK \"$key\""; 400 | $str .= " \#dhcp-ra-interface=$self->{_dhcp_if}\#" if (defined($self->{_dhcp_if})); 401 | $str .= "\n"; 402 | $str .= "$cfg_delim_end\n"; 403 | } 404 | return ($str, undef); 405 | } 406 | sub get_dhcp_addr{ 407 | my ($if) = @_; 408 | my @dhcp_addr = Vyatta::Misc::getIP($if, 4); 409 | my $ifaceip = shift(@dhcp_addr); 410 | @dhcp_addr = split(/\//, $ifaceip); 411 | $ifaceip = $dhcp_addr[0]; 412 | return ' ' if (!defined($ifaceip)); 413 | return $ifaceip; 414 | } 415 | 416 | sub get_ra_conn { 417 | my ($self, $name) = @_; 418 | my $oaddr = $self->{_out_addr}; 419 | if (defined($self->{_dhcp_if})){ 420 | return (undef, "The specified interface is not configured for DHCP") 421 | if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0)); 422 | my $dhcpif = $self->{_dhcp_if}; 423 | $oaddr = get_dhcp_addr($dhcpif); 424 | } 425 | if (defined($self->{_dhcp_if}) && defined($self->{_out_addr})) { 426 | return (undef, "The options dhcp-interface and outside-address may not be defined together. Please use either dhcp-interface or outside-address"); 427 | } 428 | # use strongSwan's %defaultroute macro if outside address is set to 0.0.0.0 429 | if (defined($self->{_out_addr}) && $self->{_out_addr} == "0.0.0.0") { 430 | $oaddr = "%defaultroute"; 431 | } 432 | return (undef, "Outside address not defined") if (!defined($oaddr)); 433 | return (undef, "Client IP Pool must be defined") 434 | if (!defined($self->{_client_ip_pool})); 435 | my $client_ip_pool = $self->{_client_ip_pool}; 436 | my $client_ip6_pool; 437 | my $left_subnet_route = "0.0.0.0/0"; 438 | my $auth_str; 439 | my $auth_mode; 440 | my $right_ca; 441 | my $server_id; 442 | my $esp_str; 443 | my $ike_str; 444 | return (undef, "IPsec authentication mode not defined") 445 | if (!defined($self->{_mode})); 446 | if (!defined($self->{_ike_group})) { 447 | $ike_str = "aes256gcm128-aes128gcm128-ecp384-ecp256-prfsha384-prfsha256,aes256-aes128-sha384-sha256-sha1-ecp384-ecp256-modp4096-modp3072-modp2048-prfsha384-prfsha256-prfsha1"; 448 | } else { 449 | $ike_str = get_ike_proposals(); 450 | } 451 | if (!defined($self->{_esp_group})) { 452 | $esp_str = "aes256gcm128-ecp384-ecp256-esn-noesn,aes256-aes128-sha1-ecp384-ecp256-modp4096-modp3072-modp2048-esn-noesn"; 453 | } else { 454 | $esp_str = get_esp_proposals(); 455 | } 456 | if (defined($self->{_client_ip6_pool})) { 457 | $client_ip6_pool = ",". $self->{_client_ip6_pool}; 458 | $left_subnet_route .= "," . "::/0"; 459 | } 460 | my $mode; 461 | if ($self->{_mode} eq 'pre-shared-secret') { 462 | $mode = "psk"; 463 | } else { 464 | $mode = "pubkey"; 465 | } 466 | my $fragmentation; 467 | if (defined($self->{_fragmentation}) && $self->{_fragmentation} eq 'enable') { 468 | $fragmentation = " fragmentation=yes"; 469 | } 470 | my $compat; 471 | if (!defined($self->{_compat}) || $self->{_compat} eq 'disable') { 472 | $compat = "!"; 473 | } 474 | if (defined($self->{_x509_l_id})) { 475 | $server_id = " leftid=" . $self->{_x509_l_id}. "\n"; 476 | } 477 | if (defined($self->{_left_updown})) { 478 | $leftupdown = " leftupdown=" . $self->{_left_updown}. "\n"; 479 | } 480 | if (defined($self->{_x509_r_id})) { 481 | $server_id = $server_id . " rightid=" . $self->{_x509_r_id}; 482 | } 483 | if ($self->{_mode} eq 'x509') { 484 | my $server_cert = $self->{_x509_s_cert}; 485 | return (undef, "\"server-cert-file\" not defined") 486 | if (!defined($server_cert)); 487 | $server_cert =~ s/^.*(\/[^\/]+)$/${SERVER_CERT_PATH}$1/; 488 | $auth_str =<{_x509_rcacert})) { 494 | my $remote_ca = $self->{_x509_rcacert}; 495 | return (undef, "\"remote-ca-cert-file\" not defined") 496 | if (!defined($remote_ca)); 497 | $remote_ca =~ s/^.*(\/[^\/]+)$/${CA_CERT_PATH}$1/; 498 | $right_ca = "rightca=" . $self->{_x509_rcacert}; 499 | $right_ca = $right_ca . "\n rightca2=" . $self->{_x509_rcacert}; 500 | } 501 | } 502 | if ($self->{_mode} eq 'pre-shared-secret') { 503 | $auth_str = " leftauth=psk\n"; 504 | } 505 | my $str =<{_ike_lifetime})){ 523 | $str .= " ikelifetime=$self->{_ike_lifetime}\n"; 524 | } else { 525 | $str .= " ikelifetime=86400s\n"; 526 | } 527 | if (defined($self->{_inactivity})) { 528 | $str .= " inactivity=" . $self->{_inactivity} . "\n"; 529 | } else { 530 | $str .= " inactivity=28800s\n"; 531 | } 532 | $str .= "\n"; 533 | if ($self->{_oper_mode} eq 'ikev2-mobike') { 534 | # auth modes for client 535 | if ($self->{_mode} eq 'pre-shared-secret') { 536 | return(undef,"Pre-shared secrets are unsupported for IEKv2 Remote Access VPN's"); 537 | } 538 | if ($self->{_auth_mode} eq 'x509') { 539 | $str .= <{_auth_mode} eq 'local') { 559 | $str .= <{_auth_mode} eq 'radius') { 570 | $str .= <{_oper_mode} eq 'ikev1-xauth') { 582 | if ($self->{_auth_mode} eq 'x509') { 583 | return(undef, "X.509 user authentication is not supported with IKEv1 XAUTH Remote Access VPN"); 584 | } 585 | if ($self->{_auth_mode} eq 'local') { 586 | $str .= <{_auth_mode} eq 'radius') { 596 | $str .= <{_oper_mode} eq 'ikev1-hybrid') { 607 | if ($self->{_mode} eq 'pre-shared-secret') { 608 | return(undef,"Pre-shared secrets are not supported for IKEv1 XAUTH Hybrid Remote Access VPNs"); 609 | } 610 | if ($self->{_auth_mode} eq 'x509') { 611 | return(undef, "X.509 user authentication is not supported with IKEv1 XAUTH Remote Access VPN"); 612 | } 613 | if ($self->{_auth_mode} eq 'local') { 614 | $str .= <{_auth_mode} eq 'radius') { 623 | $str .= <{_auth_mode})); 640 | my @users = @{$self->{_auth_local}}; 641 | print "IKEv2 VPN warning: Local user authentication not defined\n" 642 | if ($self->{_auth_mode} eq 'local' && scalar(@users) == 0); 643 | my $mode = "EAP"; 644 | if ($self->{_oper_mode} eq 'ikev1-xauth') { 645 | $mode = "XAUTH"; 646 | } 647 | my $str = $cfg_delim_begin; 648 | if ($self->{_auth_mode} eq 'local') { 649 | while (scalar(@users) > 0) { 650 | my $user = shift @users; 651 | my $pass = shift @users; 652 | my $disable = shift @users; 653 | if ($disable eq 'disable') { 654 | } else { 655 | $str .= ("\n$user : $mode \"$pass\"\n"); 656 | } 657 | } 658 | } 659 | $str .= $cfg_delim_end . "\n"; 660 | return ($str, undef); 661 | } 662 | sub get_strongswan_opts { 663 | my ($self) = @_; 664 | my @dns = @{$self->{_dns}}; 665 | my @wins = @{$self->{_wins}}; 666 | my $sstr; 667 | if (@dns) { 668 | $sstr .= "\n\tdns =" ; 669 | foreach my $d (@dns) { 670 | $sstr .= (" $d,"); 671 | } 672 | #delete the last line 673 | chop($sstr); 674 | } 675 | if (@wins) { 676 | $sstr .= "\n\tnbns ="; 677 | foreach my $w (@wins) { 678 | $sstr .= (" $w,"); 679 | } 680 | chop($sstr); 681 | } 682 | my $rstr = ''; 683 | $rstr = <{_auth_mode}; 696 | return ("$cfg_delim_begin\n$cfg_delim_end\n", undef) if ($mode ne 'radius'); 697 | 698 | my @auths = @{$self->{_auth_radius}}; 699 | my @skeys = @{$self->{_auth_radius_keys}}; 700 | return (undef, "No Radius servers specified") if ((scalar @auths) <= 0); 701 | return (undef, "Key must be specified for Radius server") 702 | if ((scalar @auths) != (scalar @skeys)); 703 | 704 | my $authstr = ''; 705 | my $server_num = 0; 706 | while ((scalar @auths) > 0) { 707 | 708 | my $auth = shift @auths; 709 | my $skey = shift @skeys; 710 | $authstr .=<{_dhcp_if})); 732 | if (defined($self->{_dhcp_if}) && defined($self->{_out_addr})){ 733 | return (undef, "Only one of dhcp-interface and outside-address can be defined."); 734 | } 735 | my $str =<{_dhcp_if} 739 | /opt/vyatta/bin/sudo-users/vyatta-l2tp-dhcp.pl --config_iface=\"\$CFGIFACE\" --interface=\"\$interface\" --new_ip=\"\$new_ip_address\" --reason=\"\$reason\" --old_ip=\"\$old_ip_address\" 740 | $cfg_delim_end 741 | EOS 742 | return ($str, undef); 743 | 744 | } 745 | 746 | sub removeCfg { 747 | my ($self, $file) = @_; 748 | system("sed -i '/$cfg_delim_begin/,/$cfg_delim_end/d' $file"); 749 | if ($? >> 8) { 750 | print STDERR <>' : '>'; 761 | my $WR = undef; 762 | if (!open($WR, "$op","$file")) { 763 | print STDERR <{_dhcp_if})); 779 | return (!(Vyatta::Misc::isIPinInterfaces($config, $self->{_out_addr}, 780 | @interfaces))); 781 | } 782 | 783 | sub print_str { 784 | my ($self) = @_; 785 | my $str = 'l2tp vpn'; 786 | $str .= "\n oaddr " . $self->{_out_addr}; 787 | $str .= "\n onexthop " . $self->{_out_nexthop}; 788 | $str .= "\n cip_start " . $self->{_client_ip_start}; 789 | $str .= "\n cip_stop " . $self->{_client_ip_stop}; 790 | $str .= "\n auth_mode " . $self->{_auth_mode}; 791 | $str .= "\n auth_local " . (join ",", @{$self->{_auth_local}}); 792 | $str .= "\n auth_radius " . (join ",", @{$self->{_auth_radius}}); 793 | $str .= "\n auth_radius_s " . (join ",", @{$self->{_auth_radius_keys}}); 794 | $str .= "\n dns " . (join ",", @{$self->{_dns}}); 795 | $str .= "\n wins " . (join ",", @{$self->{_wins}}); 796 | $str .= "\n empty " . $self->{_is_empty}; 797 | $str .= "\n"; 798 | 799 | return $str; 800 | } 801 | 802 | sub get_ike_proposals { 803 | # 804 | # Write IKE configuration from group 805 | # 806 | my $genout; 807 | my $vcVPN = new Vyatta::Config(); 808 | $vcVPN->setLevel('vpn ipsec remote-access'); 809 | my @ike_proposals = $vcVPN->listNodes("ike-settings proposal"); 810 | 811 | my $first_ike_proposal = 1; 812 | foreach my $ike_proposal (@ike_proposals) { 813 | 814 | # 815 | # Get encryption, hash & Diffie-Hellman key size 816 | # 817 | my $encryption = $vcVPN->returnValue("ike-settings proposal $ike_proposal encryption"); 818 | my $hash = $vcVPN->returnValue("ike-settings proposal $ike_proposal hash"); 819 | my $dh_group = $vcVPN->returnValue("ike-settings proposal $ike_proposal dh-group"); 820 | 821 | # 822 | # Write separator if not first proposal 823 | # 824 | if ($first_ike_proposal) { 825 | $first_ike_proposal = 0; 826 | } else { 827 | $genout .= ","; 828 | } 829 | 830 | # 831 | # Write values 832 | # 833 | if (defined($encryption) && defined($hash)) { 834 | $genout .= "$encryption-$hash"; 835 | if (defined($dh_group)) { 836 | my $cipher_out = get_dh_cipher_result($dh_group); 837 | if ($cipher_out eq 'unknown') { 838 | return undef; 839 | } else { 840 | $genout .= "-$cipher_out"; 841 | } 842 | } 843 | } 844 | } 845 | return $genout; 846 | } 847 | 848 | sub get_esp_proposals { 849 | my $genout; 850 | my $vcVPN = new Vyatta::Config(); 851 | $vcVPN->setLevel('vpn ipsec remote-access'); 852 | my @esp_proposals =$vcVPN->listNodes("esp-settings proposal"); 853 | my $first_esp_proposal = 1; 854 | foreach my $esp_proposal (@esp_proposals) { 855 | 856 | # 857 | # Get encryption, hash and PFS group settings 858 | # 859 | my $encryption = $vcVPN->returnValue("esp-settings proposal $esp_proposal encryption"); 860 | my $hash = $vcVPN->returnValue("esp-settings proposal $esp_proposal hash"); 861 | my $pfs = $vcVPN->returnValue("esp-settings proposal $esp_proposal dh-group"); 862 | 863 | # 864 | # Write separator if not first proposal 865 | # 866 | if ($first_esp_proposal) { 867 | $first_esp_proposal = 0; 868 | } else { 869 | $genout .= ","; 870 | } 871 | if (defined($pfs)) { 872 | if ($pfs eq 'enable') { 873 | undef $pfs; 874 | } elsif ($pfs eq 'disable') { 875 | undef $pfs; 876 | } else { 877 | $pfs = get_dh_cipher_result($pfs); 878 | } 879 | } 880 | 881 | # 882 | # Write values 883 | # 884 | if (defined($encryption) && defined($hash)) { 885 | $genout .= "$encryption-$hash"; 886 | if (defined($pfs)) { 887 | $genout .= "-$pfs"; 888 | } 889 | } 890 | } 891 | return $genout; 892 | } 893 | 894 | sub get_dh_cipher_result { 895 | my ($cipher) = @_; 896 | my $ciph_out; 897 | if ($cipher eq '2' || $cipher eq 'dh-group2') { 898 | $ciph_out = 'modp1024'; 899 | } elsif ($cipher eq '5' || $cipher eq 'dh-group5') { 900 | $ciph_out = 'modp1536'; 901 | } elsif ($cipher eq '14' || $cipher eq 'dh-group14') { 902 | $ciph_out = 'modp2048'; 903 | } elsif ($cipher eq '15' || $cipher eq 'dh-group15') { 904 | $ciph_out = 'modp3072'; 905 | } elsif ($cipher eq '16' || $cipher eq 'dh-group16') { 906 | $ciph_out = 'modp4096'; 907 | } elsif ($cipher eq '17' || $cipher eq 'dh-group17') { 908 | $ciph_out = 'modp6144'; 909 | } elsif ($cipher eq '18' || $cipher eq 'dh-group18') { 910 | $ciph_out = 'modp8192'; 911 | } elsif ($cipher eq '19' || $cipher eq 'dh-group19') { 912 | $ciph_out = 'ecp256'; 913 | } elsif ($cipher eq '20' || $cipher eq 'dh-group20') { 914 | $ciph_out = 'ecp384'; 915 | } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { 916 | $ciph_out = 'ecp521'; 917 | } elsif ($cipher eq '22' || $cipher eq 'dh-group22') { 918 | $ciph_out = 'modp1024s160'; 919 | } elsif ($cipher eq '23' || $cipher eq 'dh-group23') { 920 | $ciph_out = 'modp2048s224'; 921 | } elsif ($cipher eq '24' || $cipher eq 'dh-group24') { 922 | $ciph_out = 'modp2048s256'; 923 | } elsif ($cipher eq '25' || $cipher eq 'dh-group25') { 924 | $ciph_out = 'ecp192'; 925 | } elsif ($cipher eq '26' || $cipher eq 'dh-group26') { 926 | $ciph_out = 'ecp224'; 927 | } else { 928 | $ciph_out = 'unknown'; 929 | } 930 | return $ciph_out; 931 | } 932 | 933 | 1; 934 | 935 | -------------------------------------------------------------------------------- /scripts/vyos-update-agile.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use strict; 4 | use lib "/opt/vyatta/share/perl5"; 5 | use Vyatta::Config; 6 | use Vyatta::AgileConfig; 7 | use File::Copy; 8 | use Data::Dumper; 9 | 10 | my $RACONN_NAME = 'agile-remote-access'; 11 | ## XXX only the part after the last '-' affects order of conn matching!!!? 12 | my $RACONN_NAME_WIN = "${RACONN_NAME}-win-aaa"; 13 | my $RACONN_NAME_MAC = "${RACONN_NAME}-mac-zzz"; 14 | my $FILE_IPSEC_CFG = '/etc/ipsec.conf'; 15 | my $FILE_IPSEC_SECRETS = '/etc/ipsec.secrets'; 16 | my $FILE_IPSEC_RACONN = "/etc/ipsec.d/tunnels/$RACONN_NAME"; 17 | my $FILE_CHAP_SECRETS = '/etc/ppp/secrets/chap-ravpn'; 18 | my $IPSEC_CTL_FILE = '/var/run/charon.ctl'; 19 | my $STRONGSWAN_ATTR_CONF = '/etc/strongswan.d/charon/attr.conf'; 20 | my $STRONGSWAN_AGILE_CONF = '/etc/strongswan.d/charon/agile_attr.conf'; 21 | my $STRONGSWAN_RADIUS_CONF = '/etc/strongswan.d/charon/eap-radius.conf'; 22 | my $STRONGSWAN_RADIUS_AGILE_CONF = '/etc/strongswan.d/charon/agile_eap-radius.conf'; 23 | 24 | my $gconfig = new Vyatta::Config; 25 | my $config = new Vyatta::AgileConfig; 26 | my $oconfig = new Vyatta::AgileConfig; 27 | $config->setup(); 28 | $oconfig->setupOrig(); 29 | 30 | if ($config->isEmpty()) { 31 | if (!$oconfig->isEmpty()) { 32 | # remove remote-access vpn connections 33 | system ("ipsec stroke down-nb $RACONN_NAME"); 34 | system ("ipsec rereadall >&/dev/null"); 35 | system ("ipsec reload >&/dev/null"); 36 | 37 | if ( ! -f $STRONGSWAN_ATTR_CONF) { 38 | move("$STRONGSWAN_ATTR_CONF.noload", $STRONGSWAN_ATTR_CONF); 39 | if (-f $STRONGSWAN_AGILE_CONF) { 40 | unlink($STRONGSWAN_AGILE_CONF); 41 | } 42 | } if ( ! -f $STRONGSWAN_RADIUS_CONF) { 43 | move("$STRONGSWAN_RADIUS_CONF.noload" , $STRONGSWAN_RADIUS_CONF); 44 | if (-f $STRONGSWAN_RADIUS_AGILE_CONF) { 45 | unlink($STRONGSWAN_RADIUS_AGILE_CONF); 46 | } 47 | } 48 | if ( -f $FILE_IPSEC_RACONN ) { 49 | system("rm -f $FILE_IPSEC_RACONN"); 50 | } 51 | } 52 | exit 0; 53 | } 54 | 55 | # required ipsec settings 56 | ## ipsec-interfaces 57 | my @ipsec_ifs = $gconfig->returnValues('vpn ipsec ipsec-interfaces interface'); 58 | ## nat-traversal 59 | my $nat_traversal = $gconfig->returnValue('vpn ipsec nat-traversal'); 60 | ## nat-networks 61 | my @nat_nets = $gconfig->listNodes('vpn ipsec nat-networks allowed-network'); 62 | 63 | my ($ipsec_secrets, $ra_conn, $sswan_radius, $sswan_users, $err, $sswan_opts) 64 | = (undef, undef, undef, undef, undef, undef); 65 | while (1) { 66 | ($ipsec_secrets, $err) = $config->get_ipsec_secrets(); 67 | last if (defined($err)); 68 | ($ra_conn, $err) = $config->get_ra_conn($RACONN_NAME); 69 | last if (defined($err)); 70 | ($sswan_opts, $err) = $config->get_strongswan_opts(); 71 | last if (defined($err)); 72 | ($sswan_radius, $err) = $config->get_strongswan_radius(); 73 | last if (defined($err)); 74 | ($sswan_users, $err) = $config->get_strongswan_secrets(); 75 | $err = $config->setupX509IfNecessary(); 76 | last; 77 | } 78 | if (defined($err)) { 79 | print STDERR "IKEv2 VPN configuration error: $err.\n"; 80 | exit 1; 81 | } 82 | # Build our attribute file 83 | if ( -f $STRONGSWAN_ATTR_CONF ) { 84 | move($STRONGSWAN_ATTR_CONF, "$STRONGSWAN_ATTR_CONF.noload"); 85 | system("touch $STRONGSWAN_AGILE_CONF"); 86 | } 87 | # Build our eap-radius file if radius is needed 88 | if ( -f $STRONGSWAN_RADIUS_CONF ) { 89 | move($STRONGSWAN_RADIUS_CONF, "$STRONGSWAN_RADIUS_CONF.noload"); 90 | system("touch $STRONGSWAN_RADIUS_AGILE_CONF"); 91 | } 92 | if ( ! -f $FILE_IPSEC_RACONN ) { 93 | system("touch $FILE_IPSEC_RACONN"); 94 | } 95 | 96 | exit 1 if (!$config->removeCfg($FILE_IPSEC_CFG)); 97 | exit 1 if (!$config->removeCfg($FILE_IPSEC_SECRETS)); 98 | exit 1 if (!$config->removeCfg($FILE_IPSEC_RACONN)); 99 | exit 1 if (!$config->removeCfg($STRONGSWAN_AGILE_CONF)); 100 | exit 1 if (!$config->removeCfg($STRONGSWAN_RADIUS_AGILE_CONF)); 101 | 102 | my $ipsec_cfg = "include $FILE_IPSEC_RACONN"; 103 | exit 1 if (!$config->writeCfg($FILE_IPSEC_CFG, $ipsec_cfg, 1, 1)); 104 | exit 1 if (!$config->writeCfg($FILE_IPSEC_SECRETS, $ipsec_secrets, 1, 0)); 105 | exit 1 if (!$config->writeCfg($FILE_IPSEC_SECRETS, $sswan_users, 1, 0)); 106 | exit 1 if (!$config->writeCfg($FILE_IPSEC_RACONN, $ra_conn, 0, 0)); 107 | exit 1 if (!$config->writeCfg($STRONGSWAN_AGILE_CONF, $sswan_opts, 0, 1)); 108 | exit 1 if (!$config->writeCfg($STRONGSWAN_RADIUS_AGILE_CONF, $sswan_radius, 0, 1)); 109 | 110 | # wait for ipsec to settle 111 | if (!($config->maybeClustering($gconfig, @ipsec_ifs))) { 112 | my $sleep = 0; 113 | while (! -e $IPSEC_CTL_FILE) { 114 | sleep 1; 115 | if (++$sleep > 10) { 116 | print STDERR "IKEv2 VPN configuration error: IPsec did not start.\n"; 117 | exit 1; 118 | } 119 | } 120 | } 121 | 122 | if (!($config->isDifferentFrom($oconfig))) { 123 | # config not actually changed. do nothing. 124 | exit 0; 125 | } else { 126 | system ("ipsec rereadall >&/dev/null"); 127 | system ("ipsec reload >&/dev/null"); 128 | if (-f '/usr/sbin/swanctl') { 129 | system ("swanctl -r >&/dev/null"); 130 | } 131 | } 132 | 133 | exit 0; 134 | 135 | 136 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/local-users/node.def: -------------------------------------------------------------------------------- 1 | help: Local user authentication for remote access IKEv2 VPN 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/local-users/username/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | help: User name for authentication 3 | type: txt 4 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/local-users/username/node.tag/disable/node.def: -------------------------------------------------------------------------------- 1 | help: Option to disable IKEv2 remote-access user 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/local-users/username/node.tag/password/node.def: -------------------------------------------------------------------------------- 1 | help: Password for authentication 2 | type: txt 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/mode/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Authentication mode for remote access IKEv2 VPN 3 | syntax:expression: $VAR(@) in "local", "x509", "radius"; "Authentication mode must be \"local\", \"x509\", \"radius\"" 4 | val_help: local; Use username/password in the configuration 5 | val_help: x509; Use x509 certificates 6 | val_help: radius; Use RADIUS 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/node.def: -------------------------------------------------------------------------------- 1 | help: Authentication for remote access IKEv2 VPN 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/radius-server/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | type: ipv4 3 | help: IP address of radius server 4 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/authentication/radius-server/node.tag/key/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Key for accessing the specified server 3 | syntax:expression: pattern $VAR(@) "^.{,48}$" ; "Server key too long" 4 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/client-ip-pool/node.def: -------------------------------------------------------------------------------- 1 | help: Pool of IP address to be assigned to remote clients 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/client-ip-pool/subnet/node.def: -------------------------------------------------------------------------------- 1 | help: An IPv4 prefix where addresses will be assigned from 2 | type: ipv4net 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/client-ip-pool/subnet6/node.def: -------------------------------------------------------------------------------- 1 | help: An IPv6 prefix where addresses will be assigned from 2 | type: ipv6net 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/compatibility-mode/node.def: -------------------------------------------------------------------------------- 1 | help: Enable compatibility mode. If enabled, the proposals negotiated might include unsafe/legacy ciphers and might not provide Forward Secrecy 2 | type: txt 3 | default: "disable" 4 | syntax:expression: $VAR(@) in "enable", "disable"; "must be enabled or disabled" 5 | val_help: enable; Enable compatiblity mode (potentially insecure) 6 | val_help: disable; Disable compatiblity mode (default) 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/description/node.def: -------------------------------------------------------------------------------- 1 | help: Description for IKEv2 remote-access settings 2 | type: txt 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/dhcp-interface/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: DHCP interface to listen on 3 | allowed: 4 | local -a array ; 5 | array=( /var/run/eth* /var/run/br* /var/run/bond* ) ; 6 | echo -n ${array[@]##*/} 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/dns-servers/node.def: -------------------------------------------------------------------------------- 1 | help: Domain Name Service (DNS) server 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/dns-servers/server-1/node.def: -------------------------------------------------------------------------------- 1 | help: Primary DNS server 2 | type: ipv4 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/dns-servers/server-2/node.def: -------------------------------------------------------------------------------- 1 | help: Secondary DNS server 2 | type: ipv4 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/esp-settings/node.def: -------------------------------------------------------------------------------- 1 | help: Encapsulating Security Protocol (ESP) settings for remote access IKEv2 VPN 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/esp-settings/proposal/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | type: u32 3 | help: ESP-group proposal [REQUIRED] 4 | syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 65535) ; "must be between 1-65535" 5 | val_help: u32:1-65535; ESP-group proposal number 6 | 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/esp-settings/proposal/node.tag/dh-group/node.def: -------------------------------------------------------------------------------- 1 | help: Diffie-Hellman (DH) key exchange group 2 | type: u32 3 | syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" 4 | val_help: 2; DH group 2 (modp1024) 5 | val_help: 5; DH group 5 (modp1536) 6 | val_help: 14; DH group 14 (modp2048) 7 | val_help: 15; DH group 15 (modp3072) 8 | val_help: 16; DH group 16 (modp4096) 9 | val_help: 17; DH group 17 (modp6144) 10 | val_help: 18; DH group 18 (modp8192) 11 | val_help: 19; DH group 19 (ecp256) 12 | val_help: 20; DH group 20 (ecp384) 13 | val_help: 21; DH group 21 (ecp521) 14 | val_help: 22; DH group 22 (modp1024s160) 15 | val_help: 23; DH group 23 (modp2048s224) 16 | val_help: 24; DH group 24 (modp2048s256) 17 | val_help: 25; DH group 25 (ecp192) 18 | val_help: 26; DH group 26 (ecp224) 19 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/esp-settings/proposal/node.tag/encryption/node.def: -------------------------------------------------------------------------------- 1 | help: Encryption algorithm 2 | type: txt 3 | default: "aes256" 4 | syntax:expression: $VAR(@) in "aes128", "aes128gcm128", "aes256", "aes256gcm128"; "must be aes128, aes128gcm, aes256 or aes256gcm" 5 | val_help: aes128; AES-128-CBC encryption 6 | val_help: aes128gcm128; AES-128-GCM encryption with 128 bit ICV 7 | val_help: aes256; AES-256-CBC encryption (default) 8 | val_help: aes256gcm128; AES-256-GCM encryption with 128 bit ICV 9 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/esp-settings/proposal/node.tag/hash/node.def: -------------------------------------------------------------------------------- 1 | help: Hash algorithm 2 | type: txt 3 | default: "sha1" 4 | syntax:expression: $VAR(@) in "md5", "sha1", "sha256", "sha384", "sha512"; "must be md5, sha1, sha256, sha384 or sha512" 5 | val_help: md5; MD5 hash 6 | val_help: sha1; SHA1 hash (default) 7 | val_help: sha256; SHA2-256 hash 8 | val_help: sha384; SHA2-384 hash 9 | val_help: sha512; SHA2-512 hash 10 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/mode/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Authentication mode for IPsec 3 | default: "x509" 4 | syntax:expression: $VAR(@) in "pre-shared-secret", "x509"; "Authentication mode must be \"pre-shared-secret\" or \"x509\"" 5 | val_help: pre-shared-secret; Use pre-shared secret for IPsec authentication 6 | val_help: x509; Use X.509 certificate for IPsec authentication 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/node.def: -------------------------------------------------------------------------------- 1 | help: IPsec authentication settings 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/pre-shared-secret/node.def: -------------------------------------------------------------------------------- 1 | help: Pre-shared secret for IPsec 2 | type: txt 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/ca-cert-file/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: File containing the X.509 certificate for the Certificate Authority (CA) 3 | syntax:expression: exec "/opt/vyatta/sbin/check_file_in_config_dir $VAR(@) '/config/auth'" 4 | val_help: File in /config/auth 5 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/crl-file/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: File containing the X.509 Certificate Revocation List (CRL) 3 | syntax:expression: exec "/opt/vyatta/sbin/check_file_in_config_dir $VAR(@) '/config/auth'" 4 | val_help: File in /config/auth 5 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/local-id/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Local Access Server's DNS Name in the Subject Alternative Name extension 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/node.def: -------------------------------------------------------------------------------- 1 | help: X.509 certificate 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/remote-ca-cert-file/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: File containing the X.509 certificate for the Certificate Authority (CA) used to validate the remote peer 3 | syntax:expression: exec "/opt/vyatta/sbin/check_file_in_config_dir $VAR(@) '/config/auth'" 4 | val_help: File in /config/auth 5 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/remote-id/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Remote Access Server's DNS Name in the Subject Alternative Name extension 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/server-cert-file/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: File containing the X.509 certificate for the remote access VPN server (this host) 3 | syntax:expression: exec "/opt/vyatta/sbin/check_file_in_config_dir $VAR(@) '/config/auth'" 4 | val_help: File in /config/auth 5 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/server-key-file/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: File containing the private key for the X.509 certificate for the remote access VPN server (this host) 3 | syntax:expression: exec "/opt/vyatta/sbin/check_file_in_config_dir $VAR(@) '/config/auth'" 4 | val_help: File in /config/auth 5 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/server-key-password/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Password that protects the private key 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/authentication/x509/server-key-type/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | default: "rsa" 3 | help: Sets the type of the server's private key 4 | syntax:expression: $VAR(@) in "rsa", "ecdsa" 5 | val_help: rsa; Server key type is RSA 6 | val_help: ecdsa; Server key type is ECDSA 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/esp-group/node.def: -------------------------------------------------------------------------------- 1 | help: Defult ESP group name 2 | type: txt 3 | allowed: cli-shell-api listActiveNodes vpn ipsec esp-group 4 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/fragmentation/node.def: -------------------------------------------------------------------------------- 1 | help: Enable IKEv2 Fragmentation Extension as defined in RFC 7383 or IKE Fragmentation as defined in MS-IKEE IKE Fragmentation depending on operating-mode 2 | type: txt 3 | default: "disable" 4 | syntax:expression: $VAR(@) in "enable", "disable"; "must be enabled or disabled" 5 | val_help: enable; Enable Fragmentation 6 | val_help: disable; Disable Fragmentation (default) 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/ike-lifetime/node.def: -------------------------------------------------------------------------------- 1 | help: IKE lifetime 2 | type: u32 3 | default: 86400 4 | syntax:expression: ($VAR(@) >= 30) ; "must between over 30 seconds" 5 | val_help: u32:30-86400; IKE lifetime in seconds (default 86400) 6 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/node.def: -------------------------------------------------------------------------------- 1 | help: Internet Key Exchange (IKE) settings for remote access IKEv2 VPN 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/operating-mode/node.def: -------------------------------------------------------------------------------- 1 | help: Operating mode of the VPN Services 2 | type: txt 3 | default: "ikev2-mobike" 4 | syntax:expression: $VAR(@) in "ikev2-mobike", "ikev1-xauth", "ikev1-hybrid"; "must be enabled or disabled" 5 | val_help: ikev1-xauth; IKEv1 XAUTH 6 | val_help: ikev1-hybrid; IKEv1 Hybrid 7 | val_help: ikev2-mobike; IKEv2 MOBIKE (default) 8 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/proposal/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | help: IKE-group proposal [REQUIRED] 3 | type: u32 4 | syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 65535) ; "must be between 1-65535" 5 | val_help: u32:1-65535; IKE-group proposal 6 | 7 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/proposal/node.tag/dh-group/node.def: -------------------------------------------------------------------------------- 1 | help: Diffie-Hellman (DH) key exchange group 2 | type: u32 3 | syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" 4 | val_help: 2; DH group 2 (modp1024) 5 | val_help: 5; DH group 5 (modp1536) 6 | val_help: 14; DH group 14 (modp2048) 7 | val_help: 15; DH group 15 (modp3072) 8 | val_help: 16; DH group 16 (modp4096) 9 | val_help: 17; DH group 17 (modp6144) 10 | val_help: 18; DH group 18 (modp8192) 11 | val_help: 19; DH group 19 (ecp256) 12 | val_help: 20; DH group 20 (ecp384) 13 | val_help: 21; DH group 21 (ecp521) 14 | val_help: 22; DH group 22 (modp1024s160) 15 | val_help: 23; DH group 23 (modp2048s224) 16 | val_help: 24; DH group 24 (modp2048s256) 17 | val_help: 25; DH group 25 (ecp192) 18 | val_help: 26; DH group 26 (ecp224) 19 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/proposal/node.tag/encryption/node.def: -------------------------------------------------------------------------------- 1 | help: Encryption algorithm 2 | type: txt 3 | default: "aes256" 4 | syntax:expression: $VAR(@) in "aes128", "aes128gcm128", "aes256", "aes256gcm128"; "must be aes128, aes128gcm, aes256 or aes256gcm" 5 | val_help: aes128; AES-128-CBC encryption 6 | val_help: aes128gcm128; AES-128-GCM encryption with 128 bit ICV 7 | val_help: aes256; AES-256-CBC encryption (default) 8 | val_help: aes256gcm128; AES-256-GCM encryption with 128 bit ICV 9 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/ike-settings/proposal/node.tag/hash/node.def: -------------------------------------------------------------------------------- 1 | help: Hash algorithm 2 | type: txt 3 | default: "sha1" 4 | syntax:expression: $VAR(@) in "md5", "sha1", "sha256", "sha384", "sha512"; "must be md5, sha1, sha256, sha384 or sha512" 5 | val_help: md5; MD5 hash 6 | val_help: sha1; SHA1 hash (default) 7 | val_help: sha256; SHA2-256 hash 8 | val_help: sha384; SHA2-384 hash 9 | val_help: sha512; SHA2-512 hash 10 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/inactivity/node.def: -------------------------------------------------------------------------------- 1 | help: Defines an interval on which the connection is closed if there is no data being transmitted between the gateway and client. Default interval is 8 hours. 2 | type: u32 3 | default: 28800 4 | syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must between 10-86400 seconds" 5 | val_help: u32:10-86400; Timeout in seconds (default 28800) 6 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/local-ip/node.def: -------------------------------------------------------------------------------- 1 | help: Optional IP address to use on the local side of the tunnel 2 | type: ipv4 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/node.def: -------------------------------------------------------------------------------- 1 | priority: 910 2 | help: Remote access IKEv2 VPN 3 | end:sudo /opt/vyatta/sbin/vyos-update-agile.pl || exit 1 4 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/outside-address/node.def: -------------------------------------------------------------------------------- 1 | help: Outside IP address to which VPN clients will connect 2 | type: ipv4 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/updown-script/node.def: -------------------------------------------------------------------------------- 1 | help: StrongSwan updown script 2 | type: txt 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/wins-servers/node.def: -------------------------------------------------------------------------------- 1 | help: Windows Inernet Name Service (WINS) server settings 2 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/wins-servers/server-1/node.def: -------------------------------------------------------------------------------- 1 | help: Primary WINS server 2 | type: ipv4 3 | -------------------------------------------------------------------------------- /templates-cfg/vpn/ipsec/remote-access/wins-servers/server-2/node.def: -------------------------------------------------------------------------------- 1 | help: Secondary WINS server 2 | type: ipv4 3 | --------------------------------------------------------------------------------