Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6617: T6618: vpn ipsec remote-access: fix profile generators #3903

Merged
merged 1 commit into from
Aug 1, 2024
Merged

T6617: T6618: vpn ipsec remote-access: fix profile generators #3903

merged 1 commit into from
Aug 1, 2024

Conversation

lucasec
Copy link
Contributor

@lucasec lucasec commented Jul 30, 2024
edited
Loading

Change Summary

This fixes several issues with the iOS and Windows remote access VPN profile generators (generate ipsec profile) not working correctly in certain scenarios.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T6617
https://vyos.dev/T6618

Related PR(s)

Component(s) name

vpn ipsec remote-access

Proposed changes

This updates both the iOS and Windows profile generators.

How to test

within edit vpn ipsec:

set ike-group ClientVPN-Client key-exchange 'ikev2'
set ike-group ClientVPN-Client lifetime '0'
set ike-group ClientVPN-Client proposal 1 dh-group '19'
set ike-group ClientVPN-Client proposal 1 encryption 'aes256gcm128'
set ike-group ClientVPN-Client proposal 1 hash 'sha256'
set esp-group ClientVPN-Client lifetime '3600'
set esp-group ClientVPN-Client pfs 'enable'
set esp-group ClientVPN-Client proposal 1 encryption 'aes256gcm128'
set esp-group ClientVPN-Client proposal 1 hash 'sha256'
set remote-access connection ClientVPN authentication client-mode 'x509'
set remote-access connection ClientVPN authentication local-id 'router.test.com'
set remote-access connection ClientVPN authentication server-mode 'x509'
set remote-access connection ClientVPN authentication x509 ca-certificate <CA CERT ID>
set remote-access connection ClientVPN authentication x509 certificate <SERVER CERT ID>
set remote-access connection ClientVPN dhcp-interface 'eth0'
set remote-access connection ClientVPN esp-group 'ClientVPN-Client'
set remote-access connection ClientVPN ike-group 'ClientVPN-Client'
set remote-access connection ClientVPN pool 'Client-Pool-v4'
set remote-access pool Client-Pool-v4 prefix 10.10.10.0/24

commit and then try:
generate ipsec profile ios-remote-access ClientVPN remote router.test.com
generate ipsec profile windows-remote-access ClientVPN remote router.test.com

Smoketest result

N/A

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@lucasec lucasec requested a review from a team as a code owner July 30, 2024 07:24
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 30, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link


warning: Unused import pprint in src/op_mode/ipsec.py:16.

@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed

@c-po c-po merged commit b12cd41 into vyos:current Aug 1, 2024
14 of 15 checks passed
@c-po
Copy link
Member

c-po commented Aug 1, 2024

@Mergifyio backport sagitta circinus

@mergify Mergify
Copy link

mergify bot commented Aug 1, 2024
edited
Loading

backport sagitta circinus

✅ Backports have been created

This was referenced Aug 1, 2024
Merged
Merged
@lucasec lucasec deleted the ipsec-remote-access-profile branch August 1, 2024 07:22
c-po added a commit that referenced this pull request Aug 1, 2024
@c-po
Merge pull request #3922 from vyos/mergify/bp/circinus/pr-3903
c6e611b 
T6617: T6618: vpn ipsec remote-access: fix profile generators (backport #3903)
c-po added a commit that referenced this pull request Aug 2, 2024
@c-po
Merge pull request #3921 from vyos/mergify/bp/sagitta/pr-3903
ede841f 
T6617: T6618: vpn ipsec remote-access: fix profile generators (backport #3903)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees

@lucasec lucasec

Labels
backport current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lucasec @c-po @dmbaturin